Regular Expression Denial of Service in Micromatch NPM Package
CVE-2024-4067

5.3MEDIUM

Key Information:

Vendor: Micromatch
Status: Micromatch
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-4067?

The Micromatch NPM package prior to version 4.0.8 is affected by a vulnerability that allows for Regular Expression Denial of Service (ReDoS). The issue lies within the micromatch.braces() function, where the regex pattern .* can enter an extensive backtracking loop when processing maliciously crafted inputs. This leads to excessive resource consumption, effectively causing applications that utilize Micromatch to hang or slow significantly. A fix was merged, but subsequent tests indicate the vulnerability may still persist. Developers are advised to employ safer regex patterns to avoid initiating backtracking during matches.

References

https://devhub.checkmarx.com/cve-details/CVE-2024-4067/

https://github.com/micromatch/micromatch/pull/247

https://github.com/micromatch/micromatch/issues/243

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024

CVE-2024-4067 Data

JSON