Bug 2280601 (CVE-2024-4067) - CVE-2024-4067 micromatch: vulnerable to Regular Expression Denial of Service
Summary: CVE-2024-4067 micromatch: vulnerable to Regular Expression Denial of Service
Keywords:
Status: NEW
Alias: CVE-2024-4067
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2280765 2280766 2280768 2280769 2280770 2280773 2280774 2280776 2280778 2280783 2280784 2281799 2280764 2280767 2280771 2280772 2280775 2280779 2280781 2280782 2280785 2280786 2280790 2280791 2280792 2280794
Blocks: 2280602
TreeView+ depends on / blocked
 
Reported: 2024-05-15 11:12 UTC by Rohit Keshri
Modified: 2024-09-01 08:28 UTC (History)
170 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NPM package `micromatch` where it is vulnerable to a regular expression denial of service (ReDoS). The issue occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will readily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Rohit Keshri 2024-05-15 11:12:54 UTC
The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

https://devhub.checkmarx.com/cve-details/CVE-2024-4067/
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247

Comment 1 Rohit Keshri 2024-05-16 09:29:06 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 2280765]
Affects: fedora-all [bug 2280769]


Created breeze-icon-theme tracking bugs for this issue:

Affects: fedora-all [bug 2280770]


Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2280771]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2280772]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2280764]
Affects: epel-all [bug 2280766]


Created golang-github-task tracking bugs for this issue:

Affects: fedora-all [bug 2280773]


Created h3 tracking bugs for this issue:

Affects: fedora-all [bug 2280774]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2280775]


Created nodejs-bash-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2280776]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2280778]


Created onnxruntime tracking bugs for this issue:

Affects: fedora-all [bug 2280779]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2280781]


Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 2280782]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2280783]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2280784]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2280767]
Affects: fedora-all [bug 2280785]


Created yarnpkg tracking bugs for this issue:

Affects: epel-all [bug 2280768]
Affects: fedora-all [bug 2280786]


Note You need to log in before you can comment on or make changes to this bug.