CVE-2024-4067
ReDoS vulnerability in micromatch (npm)
What is CVE-2024-4067 About?
The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). This flaw specifically affects `micromatch.braces()`, where a greedy pattern can cause excessive backtracking with malicious input. Exploitation is relatively easy by crafting a specific, long input string.
Affected Software
Technical Details
The Regular Expression Denial of Service (ReDoS) vulnerability in micromatch (prior to version 4.0.8) resides within the micromatch.braces() function, specifically in index.js. The issue is caused by a greedily matching regular expression pattern (e.g., .*) used to parse brace expansions. When presented with a specially crafted malicious payload, such as a long string with many opening brackets but no matching closing bracket (e.g., [[[[[[[[...[[[[[A), the regex engine attempts to match the greedy .* pattern. This leads to extensive backtracking as the engine tries all possible combinations to satisfy the pattern, exhausting CPU resources. As the length of the input string increases, the processing time grows exponentially, causing the application to hang or become unresponsive, effectively leading to a denial of service.
What is the Impact of CVE-2024-4067?
Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service for applications using the affected `micromatch` package.
What is the Exploitability of CVE-2024-4067?
Exploitation of this ReDoS vulnerability is relatively straightforward, requiring an attacker to provide a specially crafted, long input string that triggers the greedy regex's backtracking. No authentication or specific privileges are required; if user input is processed by micromatch.braces(), it is vulnerable. This is a remote attack if the affected functionality is exposed via a web interface or API that accepts user-supplied strings. The key prerequisite is that the application uses the vulnerable micromatch.braces() function to process external input. The complexity is low, as the pattern of malicious input is well-known for ReDoS attacks. Factors that increase exploitability include any entry point where arbitrary strings are passed to micromatch for pattern matching without length limits or pre-validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-4067?
About the Fix from Resolved Security
The patch replaces a permissive regular expression check for braces with a stricter function (hasBraces) that explicitly ensures both '{' and '}' exist in the correct order within the pattern string. This fixes CVE-2024-4067 by preventing bypasses where malformed or partial brace patterns could be incorrectly evaluated, potentially leading to denial of service or unintended pattern expansion.
Available Upgrade Options
- micromatch
- <4.0.8 → Upgrade to 4.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/micromatch/micromatch
- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
- https://github.com/micromatch/micromatch/issues/243
- https://github.com/micromatch/micromatch/releases/tag/4.0.8
- https://advisory.checkmarx.net/advisory/CVE-2024-4067
- https://devhub.checkmarx.com/cve-details/CVE-2024-4067
- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
- https://github.com/micromatch/micromatch/issues/243
What are Similar Vulnerabilities to CVE-2024-4067?
Similar Vulnerabilities: CVE-2023-28841 , CVE-2022-26164 , CVE-2021-23337 , CVE-2020-28283 , CVE-2019-10744
