CVE-2024-4067

Regular Expression Denial of Service in micromatch

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

El paquete NPM `micromatch` es vulnerable a la denegación de servicio de expresión regular (ReDoS). La vulnerabilidad ocurre en `micromatch.braces()` en `index.js` porque el patrón `.*` coincidirá con avidez con cualquier cosa. Al pasar un payload malicioso, la coincidencia de patrones seguirá retrocediendo hasta la entrada hasta que no encuentre el corchete de cierre. A medida que aumenta el tamaño de la entrada, el tiempo de consumo también aumentará hasta provocar que la aplicación se cuelgue o se ralentice. Hubo una solución combinada, pero pruebas adicionales muestran que el problema persiste. Este problema se debe mitigar mediante el uso de un patrón seguro que no comience a retroceder la expresión regular debido a coincidencias codiciosas.

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.

A flaw was found in the NPM package `micromatch` where it is vulnerable to a regular expression denial of service (ReDoS). The issue occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will readily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

*Credits: Mário Teixeira, Checkmarx Research Group

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-23 CVE Reserved
2024-05-13 CVE Published
2024-05-14 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (10)

URL	Tag	Source
https://devhub.checkmarx.com/cve-details/CVE-2024-4067
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
https://github.com/micromatch/micromatch/pull/266
https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
https://github.com/micromatch/micromatch/releases/tag/4.0.8
https://advisory.checkmarx.net/advisory/CVE-2024-4067

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-4067	2024-11-05
https://bugzilla.redhat.com/show_bug.cgi?id=2280601	2024-11-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Micromatch Search vendor "Micromatch"		Micromatch Search vendor "Micromatch" for product "Micromatch"				< 4.0.8 Search vendor "Micromatch" for product "Micromatch" and version " < 4.0.8"		en		Affected