#VU92406 Incorrect Regular Expression in Braces - CVE-2024-4067
Vulnerability identifier: #VU92406
Vulnerability risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-185
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Braces
Other software /
Other software solutions
Vendor: micromatch
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versions
Braces: 0.1.4 - 3.0.3
External links
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
