micromatch is vulnerable to Regular Expression Denial of Service (ReDoS)

[sharadkalya]

Package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS).

The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything.

By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket.

As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

[couchcryptid]

Here is the link to the CVE https://nvd.nist.gov/vuln/detail/CVE-2024-4067

[saravana-immo]

Any update on the fix? When it will be resolved?

[Phoenix-Alpha]

GHSA-952p-6rrq-rcjv

[graingert-coef]

Any update on the fix? When it will be resolved?

it looks like it's been fixed on the master branch: a4a4dbe#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L448-R457 but hasn't been released yet

edit: it was released, by @jonschlinkert in 4.0.6, but then 4.0.7 was incorrectly released off of the wrong branch by @paulmillr and re-introduced the vulnerability

[martincostello]

Looks like it was fixed in 4.0.6, as that commit is tagged for 4.0.6.

Maybe the GHSA is just out-of-date and needs updating with the fix ifo.

[thaynarbo]

Looks like it was fixed in 4.0.6, as that commit is tagged for 4.0.6.

Maybe the GHSA is just out-of-date and needs updating with the fix ifo.

Isn't the last release of micromatch on version 4.0.4?

[hauserkristof]

hey, but the so called """latest""" 4.0.7 IS vunerable, 4.0.6 is OK

[hauserkristof]

@jonschlinkert / @danez can you please create a 4.0.8 tag on the master branch and publish a new npm version?

[martincostello]

Isn't the last release of micromatch on version 4.0.4?

According to GitHub releases, but not npm or the tags.

[hauserkristof]

I have created a PR for GHSA to mark the v4.0.6 NOT vunerable.

github/advisory-database#4714

[hauserkristof]

I have created a version bump PR #265

[graingert-coef]

it looks like 4.0.7 was incorrectly released off of the old v4 branch instead of the master branch