Home > Vulnerability Database > CVE-2024-4067

Mend.io Vulnerability Database

CVE-2024-4067

Good to know:

Date: May 14, 2024

The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Language: JS

Severity Score

5.3

Related Resources (7)

Url: https://github.com/micromatch/micromatch/issues/243

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4067

Url: https://security-tracker.debian.org/tracker/CVE-2024-4067

Url: https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448

Url: https://github.com/micromatch/micromatch/pull/247

Url: https://devhub.checkmarx.com/cve-details/CVE-2024-4067/

Url: https://www.mend.io/vulnerability-database/CVE-2024-4067

Severity Score

5.3

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version micromatch - 4.0.6

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4067

Good to know:

Date: May 14, 2024

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?