CVE-2024-4067: 
JavaScript vulnerability analysis and mitigation

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. This vulnerability was assigned CVE-2024-4067 and was discovered by the Checkmarx Research team (Checkmarx Advisory, DevHub Details).

The vulnerability is caused by a greedy regex pattern .* in the micromatch.braces() function that can lead to excessive backtracking. When processing input with malicious patterns, the regex engine will keep backtracking while searching for a closing bracket. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (DevHub Details).

By passing a malicious payload, an attacker can cause the pattern matching to keep backtracking while searching for closing brackets. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down, effectively creating a denial of service condition (NVD).

The vulnerability was fixed in version 4.0.8 of micromatch. Users should upgrade to this version which includes the proper fix. The fix involves using a safe pattern that won't start backtracking the regular expression due to greedy matching. Note that versions 4.0.6 and 4.0.7 attempted to fix this issue but the vulnerability persisted (GitHub PR).

The vulnerability was initially reported by the Checkmarx Research team and went through a responsible disclosure process. After the initial fixes in versions 4.0.6 and 4.0.7 proved insufficient, version 4.0.8 was released as the ultimate fix for both CVE-2024-4067 and CVE-2024-4068. The maintainers have noted that while automated scanners may flag this as high severity, they consider the issues low-priority (GitHub Release).