CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
15.5%
micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability is due a regex expression with inefficient complexity within the micromatch.braces()
method. An attacker can submit a large payload without a closing bracket, which results in Regular Expression Denial of Service (ReDoS) as the application slows down, hangs or crashes.
advisory.checkmarx.net/advisory/CVE-2024-4067/
devhub.checkmarx.com/cve-details/CVE-2024-4067/
github.com/advisories/GHSA-952p-6rrq-rcjv
github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade
github.com/micromatch/micromatch/issues/243
github.com/micromatch/micromatch/pull/247
github.com/micromatch/micromatch/pull/266
github.com/micromatch/micromatch/releases/tag/4.0.8