CVE-2024-4067 Overview
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability occurs in the micromatch.braces() function within index.js where the pattern .* greedily matches input without proper constraints. By passing a malicious payload, the pattern matching will continuously backtrack while searching for a closing bracket, causing severe performance degradation.
As the input size increases, the consumption time grows exponentially until it causes the application to hang or become unresponsive. The micromatch package is widely used in the Node.js ecosystem for glob matching and file path pattern matching, making this vulnerability particularly impactful for build tools, bundlers, and file processing applications.
Critical Impact
Applications using vulnerable versions of micromatch can be rendered unresponsive through crafted input payloads, causing denial of service conditions in production environments.
Affected Products
- jonschlinkert micromatch versions prior to 4.0.8
- Node.js applications using micromatch for glob pattern matching
- Build tools and bundlers that depend on micromatch
Discovery Timeline
- May 14, 2024 - CVE-2024-4067 published to NVD
- August 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-4067
Vulnerability Analysis
This ReDoS vulnerability stems from inefficient regular expression handling in the micromatch.braces() function. When processing user-supplied patterns, the regex engine encounters catastrophic backtracking due to greedy quantifiers combined with nested pattern structures.
The vulnerability specifically affects the brace expansion functionality where unclosed or malformed brace patterns trigger exponential time complexity in the regex evaluation. An initial fix was merged but further testing revealed the issue persisted, requiring additional remediation in version 4.0.8.
The attack can be executed remotely without authentication, targeting any application that processes user-controlled input through micromatch's pattern matching functions. While the vulnerability only affects availability (not confidentiality or integrity), it can effectively disable application functionality.
Root Cause
The root cause is the use of a greedy regex pattern (.*) in the brace expansion logic within index.js. When the pattern encounters input without a proper closing bracket, the regex engine attempts to match progressively, backtracking through the entire input string repeatedly. This creates an algorithmic complexity attack where processing time grows exponentially with input length.
The vulnerable code pattern at line 448 of index.js demonstrates how unconstrained greedy matching leads to the ReDoS condition.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying an application endpoint that processes file paths or glob patterns through micromatch
- Crafting a malicious input string with nested braces and missing closing brackets
- Submitting the payload to trigger catastrophic backtracking in the regex engine
- Repeating the attack to exhaust server resources and cause denial of service
The attack is particularly effective against web applications, build servers, and file processing APIs that accept user-controlled pattern input without proper validation or timeout mechanisms.
Detection Methods for CVE-2024-4067
Indicators of Compromise
- Unusual CPU spikes during pattern matching operations in Node.js applications
- Application response times degrading significantly when processing specific file patterns
- Increased memory consumption in processes handling glob or brace expansion
- Server timeouts or unresponsive application states triggered by specific input patterns
Detection Strategies
- Monitor Node.js application performance for abnormal CPU utilization patterns during file operations
- Implement logging for pattern matching function calls to identify malicious input attempts
- Use dependency scanning tools to identify applications running micromatch versions below 4.0.8
- Deploy application performance monitoring to detect sudden latency increases in glob-related endpoints
Monitoring Recommendations
- Set up alerts for Node.js process CPU usage exceeding baseline thresholds
- Monitor application request queue depths for signs of processing delays
- Track pattern matching operation durations and alert on outliers
- Review application logs for repeated requests with unusual brace patterns or nested structures
How to Mitigate CVE-2024-4067
Immediate Actions Required
- Update micromatch package to version 4.0.8 or later immediately
- Audit all Node.js applications and build pipelines for micromatch dependencies
- Implement input validation to reject overly complex or malformed glob patterns
- Add timeout mechanisms for pattern matching operations as a defensive measure
Patch Information
The vulnerability was fixed in micromatch version 4.0.8. The fix addresses the greedy regex pattern issue to prevent catastrophic backtracking. The patch is available through the official GitHub release and can be applied by updating the package via npm.
The security fix was implemented through Pull Request #266 with the specific commit available at 03aa805.
Workarounds
- Implement input length limits on user-supplied patterns before passing to micromatch
- Add request timeouts to endpoints that process glob patterns to limit impact duration
- Use pattern validation to reject inputs containing suspicious nested brace structures
- Consider implementing a pattern complexity check before processing user input
# Update micromatch to patched version
npm update micromatch
# Or explicitly install the fixed version
npm install micromatch@4.0.8
# Audit your project for vulnerable dependencies
npm audit
# Check current micromatch version in your project
npm list micromatch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
