[Pkg-javascript-devel] Bug#1071631: node-micromatch: CVE-2024-4067
Moritz Mühlenhoff
jmm at inutil.org
Wed May 22 16:19:33 BST 2024
Source: node-micromatch
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-micromatch.
CVE-2024-4067[0]:
| The NPM package `micromatch` is vulnerable to Regular Expression
| Denial of Service (ReDoS). The vulnerability occurs in
| `micromatch.braces()` in `index.js` because the pattern `.*` will
| greedily match anything. By passing a malicious payload, the pattern
| matching will keep backtracking to the input while it doesn't find
| the closing bracket. As the input size increases, the consumption
| time will also increase until it causes the application to hang or
| slow down. There was a merged fix but further testing shows the
| issue persists. This issue should be mitigated by using a safe
| pattern that won't start backtracking the regular expression due to
| greedy matching.
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-4067
https://www.cve.org/CVERecord?id=CVE-2024-4067
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list