5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4067

GHSA ID

GHSA-952p-6rrq-rcjv

EPSS Score

0.3274%

CWE

CWE-1333

Published

5/14/2024

Updated

8/28/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-4067

CVE-2024-4067: Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4067

GHSA ID

GHSA-952p-6rrq-rcjv

EPSS Score

0.3274%

CWE

CWE-1333

Published

5/14/2024

Updated

8/28/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
micromatch	npm	< 4.0.8	4.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states that the ReDoS occurs in micromatch.braces() in index.js due to the greedy nature of the .* pattern in a regular expression. I analyzed the provided commit SHAs (500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0 and 03aa8052171e878897eee5d7bb2ae0ae83ec2ade), which are patches for this vulnerability. Both commits show an identical change in index.js within the micromatch.braces function. Specifically, the vulnerable regular expression /\\{.*\\}/ used with .test(pattern) was replaced by a call to a new helper function hasBraces(pattern). This directly confirms that micromatch.braces was the function containing the vulnerable code. The patch evidence is the line removed from this function, which contained the problematic regex. The new function hasBraces is part of the fix and not the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** NPM p**k*** `mi*rom*t**` prior to v*rsion *.*.* is vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS). T** vuln*r**ility o**urs in `mi*rom*t**.*r***s()` in `in**x.js` ****us* t** p*tt*rn `.*` will *r***ily m*t** *nyt*in*. *y p*ssin* * m*l

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t t** R**oS o**urs in `mi*rom*t**.*r***s()` in `in**x.js` *u* to t** *r***y n*tur* o* t** `.*` p*tt*rn in * r**ul*r *xpr*ssion. I *n*lyz** t** provi*** *ommit S**s (**********************************

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-4067: Regular Expression Denial of Service (ReDoS) in micromatch

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI