CVE-2024-4067

Name: CVE-2024-4067
Creator: NVD / NIST
Published: 2024-05-14T15:42:47.947+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 1.43%

Last modified Jun 17, 2026

CVE-2024-4067 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. EPSS estimates a 1.43% chance of exploitation in the next 30 days.

Description

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

1.43%

69.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-1333

Affected Software

Vendor	Product	Versions
Jonschlinkert	Micromatch	< 4.0.8

References

https://advisory.checkmarx.net/advisory/CVE-2024-4067/Exploit, Third Party Advisory
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/Third Party Advisory
https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2adePatch
https://github.com/micromatch/micromatch/pull/266Issue Tracking, Patch
https://github.com/micromatch/micromatch/releases/tag/4.0.8Release Notes
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/Third Party Advisory
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448Product
https://github.com/micromatch/micromatch/issues/243Issue Tracking
https://github.com/micromatch/micromatch/pull/247Issue Tracking, Patch

Timeline

Published: May 14, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-4067?

How severe is CVE-2024-4067?

CVE-2024-4067 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.43% probability of exploitation in the next 30 days.

How do I fix CVE-2024-4067?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-4067?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST