Homepage
About Snyk

Inefficient Regular Expression Complexity Affecting micromatch package, versions <4.0.6

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-MICROMATCH-6838728
  • published 13 May 2024
  • disclosed 13 May 2024
  • credit Mário Teixeira
Report a new vulnerability Found a mistake?

Introduced: 13 May 2024

CVE-2024-4067 Open this link in a new tab
CWE-1333 Open this link in a new tab

How to fix?

Upgrade micromatch to version 4.0.6 or higher.

Overview

Affected versions of this package are vulnerable to Inefficient Regular Expression Complexity due to the use of unsafe pattern configurations that allow greedy matching through the micromatch.braces() function. An attacker can cause the application to hang or slow down by passing a malicious payload that triggers extensive backtracking in regular expression processing.

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

Red Hat

7.5 high