Source: node-micromatch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-micromatch. CVE-2024-4067[0]: | The NPM package `micromatch` is vulnerable to Regular Expression | Denial of Service (ReDoS). The vulnerability occurs in | `micromatch.braces()` in `index.js` because the pattern `.*` will | greedily match anything. By passing a malicious payload, the pattern | matching will keep backtracking to the input while it doesn't find | the closing bracket. As the input size increases, the consumption | time will also increase until it causes the application to hang or | slow down. There was a merged fix but further testing shows the | issue persists. This issue should be mitigated by using a safe | pattern that won't start backtracking the regular expression due to | greedy matching. https://github.com/micromatch/micromatch/issues/243 https://github.com/micromatch/micromatch/pull/247 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4067 https://www.cve.org/CVERecord?id=CVE-2024-4067 Please adjust the affected versions in the BTS as needed.
