Main Vulnerability Database Vulnerabilities #VU92406

Incorrect Regular Expression in Braces - CVE-2024-4067

Published: June 20, 2024

Vulnerability identifier: #VU92406

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-4067

CWE-ID: CWE-185

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: micromatch

Affected software:
Braces

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

How to mitigate CVE-2024-4067

Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Sources

https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/

Incorrect Regular Expression in Braces - CVE-2024-4067

Detailed vulnerability description

How to mitigate CVE-2024-4067

Sources

Please verify you're human