Platform
nodejs
Component
micromatch
Opgelost in
4.0.8
4.0.8
CVE-2024-4067 affects the micromatch NPM package, a widely used library for matching strings against patterns. This vulnerability allows for a Regular Expression Denial of Service (ReDoS) attack, where a malicious payload can cause excessive backtracking within the pattern matching process, leading to application slowdowns or complete hangs. The issue impacts versions of micromatch released before version 4.0.8. A fix was initially merged, but further testing revealed the issue persisted prior to a specific commit.
The core of this vulnerability lies in the micromatch.braces() function within index.js. The pattern .* is susceptible to ReDoS because it greedily matches any character sequence. An attacker can craft a malicious payload containing a carefully designed string that forces the regular expression engine to repeatedly backtrack while searching for a closing bracket. As the input size grows, the time required for this backtracking increases exponentially, ultimately overwhelming the application's resources. This can manifest as significant performance degradation, rendering the application unresponsive or even crashing it entirely. The blast radius is broad, as micromatch is a dependency for numerous other NPM packages, potentially impacting a wide range of applications that rely on it. While not directly exploitable for data exfiltration, the DoS impact can disrupt service and potentially be used as a distraction for other malicious activities.
CVE-2024-4067 was published on May 14, 2024. The vulnerability is considered to have a medium probability of exploitation (EPSS score pending). Public proof-of-concept (POC) code is likely to emerge given the relatively straightforward nature of ReDoS attacks and the widespread use of micromatch. The NVD entry is available and provides further details. While no active campaigns targeting this specific vulnerability have been publicly reported, the ease of exploitation makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-4067 is to upgrade the micromatch package to version 4.0.8 or later. This version contains a fix that addresses the backtracking issue within the micromatch.braces() function. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) or proxy to filter potentially malicious input strings before they reach the micromatch library. Specifically, WAF rules should be configured to detect and block payloads containing excessive backtracking patterns. Additionally, carefully review and sanitize any user-supplied input that is used in pattern matching operations. After upgrading to version 4.0.8, confirm the fix by attempting to trigger the ReDoS vulnerability with a known malicious payload; the application should no longer hang or slow down significantly.
Actualice la dependencia `micromatch` a la versión 4.0.8 o superior. Esto solucionará la vulnerabilidad de Denegación de Servicio por Expresiones Regulares (ReDoS). Ejecute `npm install micromatch@latest` o `yarn upgrade micromatch` para actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a Regular Expression Denial of Service (ReDoS) vulnerability in the micromatch NPM package, allowing attackers to cause application slowdowns or hangs.
If you're using micromatch versions prior to 4.0.8, you are potentially affected. Check your project dependencies to determine if you're using a vulnerable version.
Upgrade the micromatch package to version 4.0.8 or later. If immediate upgrade isn't possible, consider WAF rules to filter malicious input.
No active campaigns have been publicly reported, but the ease of exploitation makes it a potential target.
Refer to the NVD entry for CVE-2024-4067 and the micromatch project's GitHub repository for details and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.