CVE-2024-4067 – The NPM package micromatch prior to version 4.0... (How to Fix)

Q: What is the severity of CVE-2024-4067?

CVE-2024-4067 has a CVSS score of 5.3 (MEDIUM). The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS) in the braces() function. Attackers can craft malicious input patterns that cause excessive backtracking in regular expression processing, leading to CPU exhaustion and application slowdowns or hangs. This affects any application using vulnerable versions of micromatch for pattern matching.

📋 TL;DR

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS) in the braces() function. Attackers can craft malicious input patterns that cause excessive backtracking in regular expression processing, leading to CPU exhaustion and application slowdowns or hangs. This affects any application using vulnerable versions of micromatch for pattern matching.

💻 Affected Systems

Products:

micromatch NPM package

Versions: All versions prior to 4.0.8

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using micromatch.braces() function with user-controlled input is vulnerable. The vulnerability is in the core library and affects all default configurations.

📦 What is this software?

Micromatch by Jonschlinkert

View all CVEs affecting Micromatch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application denial of service with sustained high CPU usage causing service unavailability and potential cascading failures in dependent systems.

🟠

Likely Case

Degraded application performance with increased response times and intermittent service disruptions affecting user experience.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated dependencies preventing exploitation.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending malicious patterns to vulnerable endpoints, but many applications may not expose micromatch functionality directly.

🏢 Internal Only: LOW - Internal systems typically have controlled inputs and lower attack surface for pattern injection.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted pattern strings to vulnerable endpoints. No authentication needed if the vulnerable function processes user input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.8

Vendor Advisory: https://github.com/micromatch/micromatch/releases/tag/4.0.8

Restart Required: Yes

Instructions:

1. Update package.json to specify micromatch version 4.0.8 or higher. 2. Run 'npm update micromatch' or 'npm install micromatch@latest'. 3. Restart the application to load the updated package.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject or sanitize patterns containing problematic brace sequences before passing to micromatch.braces()

Rate limiting and timeout enforcement

all

Implement request rate limiting and pattern processing timeouts to prevent sustained CPU exhaustion attacks

🧯 If You Can't Patch

Implement strict input validation to reject patterns with complex brace sequences
Deploy application-level rate limiting and CPU monitoring to detect and block DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list micromatch' to see installed version. If version is below 4.0.8, the system is vulnerable.

Check Version:

npm list micromatch | grep micromatch

Verify Fix Applied:

After updating, verify with 'npm list micromatch' showing version 4.0.8 or higher, then test pattern matching functionality.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for pattern matching operations
High CPU usage spikes in Node.js processes
Application timeouts or crashes during pattern processing

Network Indicators:

Repeated requests with complex pattern strings
Unusually large pattern payloads in requests

SIEM Query:

source="application.logs" AND ("micromatch" OR "pattern matching") AND (duration>5s OR "timeout" OR "CPU spike")

📊 Metadata

CVE ID: CVE-2024-4067

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-1333

Published: May 14, 2024

Last Updated: August 4, 2025

🔗 References

https://advisory.checkmarx.net/advisory/CVE-2024-4067/ Exploit,Third Party Advisory
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/ Third Party Advisory
https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade Patch
https://github.com/micromatch/micromatch/pull/266 Issue Tracking,Patch
https://github.com/micromatch/micromatch/releases/tag/4.0.8 Release Notes
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/ Third Party Advisory
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448 Product
https://github.com/micromatch/micromatch/issues/243 Issue Tracking
https://github.com/micromatch/micromatch/pull/247 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4067, you might also want to check these: