Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NTJwLTZycnEtcmNqds4AA7_p
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NTJwLTZycnEtcmNqds4AA7_p
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-952p-6rrq-rcjv, CVE-2024-4067
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4067
- https://github.com/micromatch/micromatch/issues/243
- https://github.com/micromatch/micromatch/pull/247
- https://devhub.checkmarx.com/cve-details/CVE-2024-4067
- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0
- https://github.com/micromatch/micromatch/pull/266
- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
- https://advisory.checkmarx.net/advisory/CVE-2024-4067
- https://github.com/micromatch/micromatch/releases/tag/4.0.8
- https://github.com/advisories/GHSA-952p-6rrq-rcjv
Blast Radius: 33.2
Affected Packages
npm:micromatch
Dependent packages: 4,709Dependent repositories: 1,847,280
Downloads: 358,771,128 last month
Affected Version Ranges: < 4.0.8
Fixed in: 4.0.8
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 1.0.0, 1.0.1, 1.2.0, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7
All unaffected versions: 4.0.8