CVE Vulnerabilities

CVE-2024-4067

Inefficient Regular Expression Complexity

Published: May 14, 2024 | Modified: Aug 04, 2025
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesnt find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that wont start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
MicromatchJonschlinkert*4.0.8 (excluding)
Red Hat Advanced Cluster Security 4.6RedHatadvanced-cluster-security/rhacs-main-rhel8:4.6.0-6*
Red Hat Developer Hub 1.3 on RHEL 9RedHatrhdh/rhdh-hub-rhel9:1.3-100*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/grafana-rhel8:2.6.1-6*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/istio-cni-rhel8:2.6.1-7*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/istio-must-gather-rhel8:2.6.1-4*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/istio-rhel8-operator:2.6.1-9*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/kiali-ossmc-rhel8:1.89.0-2*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/kiali-rhel8:1.89.1-3*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/kiali-rhel8-operator:1.89.1-1*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/pilot-rhel8:2.6.1-7*
Red Hat OpenShift Service Mesh 2.6 for RHEL 8RedHatopenshift-service-mesh/ratelimit-rhel8:2.6.1-6*
Red Hat OpenShift Service Mesh 2.6 for RHEL 9RedHatopenshift-service-mesh/proxyv2-rhel9:2.6.1-4*
Red Hat Satellite 6.16 for RHEL 8RedHatforeman-0:3.12.0.1-1.el8sat*
Red Hat Satellite 6.16 for RHEL 8RedHatforeman-0:3.12.0.1-1.el8sat*
Red Hat Satellite 6.16 for RHEL 8RedHatforeman-0:3.12.0.1-1.el8sat*
Red Hat Satellite 6.16 for RHEL 9RedHatforeman-0:3.12.0.1-1.el9sat*
Red Hat Satellite 6.16 for RHEL 9RedHatforeman-0:3.12.0.1-1.el9sat*
Red Hat Satellite 6.16 for RHEL 9RedHatforeman-0:3.12.0.1-1.el9sat*
Red Hat OpenShift Dev Spaces (RHOSDS) 3.25RedHatdevspaces/code-rhel9:3.25.0-1765247843*
Node-micromatchUbuntufocal*
Node-micromatchUbuntumantic*
Node-micromatchUbuntuoracular*
Node-micromatchUbuntuplucky*

Potential Mitigations

References