CVE-2024-4067
Description
The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
micromatchnpm | < 4.0.8 | 4.0.8 |
Affected products
84- osv-coords83 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/kibana-7pkg:apk/chainguard/kibana-7-bitnamipkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/lernapkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/chainguard/renovatepkg:apk/chainguard/semaphorepkg:apk/chainguard/ts-patchpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/lernapkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/renovatepkg:apk/wolfi/ts-patchpkg:npm/micromatchpkg:rpm/opensuse/pgadmin4&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweedpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
< 3.6.0-r1+ 82 more
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 7.17.25-r0
- (no CPE)range: < 7.17.25-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 8.1.8-r1
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 38.52.0-r0
- (no CPE)range: < 2.18.12-r2
- (no CPE)range: < 3.3.0-r0
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 8.1.8-r1
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 38.52.0-r0
- (no CPE)range: < 3.3.0-r0
- (no CPE)range: < 4.0.8
- (no CPE)range: < 8.5-150600.3.6.1
- (no CPE)range: < 0.7.0.4.git142.862ef23-1.1
- (no CPE)range: < 8.5-150600.3.6.1
- Range: 0
Patches
Vulnerability mechanics
References
13- github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2adenvdPatchWEB
- github.com/micromatch/micromatch/pull/247nvdIssue TrackingPatchWEB
- github.com/micromatch/micromatch/pull/266nvdIssue TrackingPatchWEB
- advisory.checkmarx.net/advisory/CVE-2024-4067/nvdExploitThird Party Advisory
- devhub.checkmarx.com/cve-details/CVE-2024-4067/nvdThird Party Advisory
- github.com/advisories/GHSA-952p-6rrq-rcjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4067ghsaADVISORY
- advisory.checkmarx.net/advisory/CVE-2024-4067ghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2024-4067ghsaWEB
- github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.jsnvdProductWEB
- github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0ghsaWEB
- github.com/micromatch/micromatch/issues/243nvdIssue TrackingWEB
- github.com/micromatch/micromatch/releases/tag/4.0.8nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.