CVE-2024-4067

CVSS V2 None CVSS V3 None

Description

The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Overview

CVE ID
CVE-2024-4067

Assigner
Checkmarx

Vulnerability Status
PUBLISHED

Published Version
2024-05-13T10:04:42.886Z

Last Modified Date
2024-06-04T17:55:00.727Z

Weakness Enumerations

CWE	URL
CWE-1333	http://cwe.mitre.org/data/definitions/1333.html

References

Reference URL	Reference Tags
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/	third-party-advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-4067
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 22:02:32				Added to TrackCVE