CVE-2024-4067 — Regex Denial of Service in Micromatch

CWE-1333 — Regex Denial of Service9 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 68.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Micromatch Jonschlinkert Micromatch Debian Node-micromatch +3 more

Timeline

PublishedMay 14

Latest updateMar 25

Description

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages7 packages

▶npmmicromatch/picomatch4.0.0 — 4.0.4+2

▶CVEListV5micromatch/micromatch< 4.0.8

▶npmmicromatch/micromatch< 4.0.8

▶debiandebian/node-micromatch< node-micromatch 4.0.7+~4.0.7-1 (forky)

▶NVDjonschlinkert/micromatch< 4.0.8

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Picomatch has a ReDoS vulnerability via extglob quantifiers↗2026-03-25

▶

GHSA

Picomatch has a ReDoS vulnerability via extglob quantifiers↗2026-03-25

▶

GHSA

Regular Expression Denial of Service (ReDoS) in micromatch↗2024-05-14

▶

OSV

CVE-2024-4067: The NPM package `micromatch` prior to 4↗2024-05-14

▶

OSV

Regular Expression Denial of Service (ReDoS) in micromatch↗2024-05-14

▶

📋Vendor Advisories

Microsoft

CVE-2024-4067: NIST NVD Details: https://nvd↗2024-05-14

▶

Debian

CVE-2024-4067: node-micromatch - The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression ...↗2024

▶

Red Hat

micromatch: vulnerable to Regular Expression Denial of Service↗2023-12-12

▶