micromatch icon indicating copy to clipboard operation
micromatch copied to clipboard

Published 20 hours ago verified publisher icon micromatch

[CVE-2024-4067] Vulnerability detected in micromatch.braces()

Open jpsla94 opened this issue 1 year ago • 8 comments

Hello @jonschlinkert,

I am currently using the latest version of micromatch 4.0.7, and I notice the package was flag for a vulnerability for a Regular Expression Denial of Service (ReDos) attack. Located in micromatch.braces() in index.js, because of the pattern ".*".[CVE-2024-4067]

By the way, I have already the latest version of braces installed 3.0.3 in the package.

Is this being look at and addressed?

jpsla94 avatar Jun 03 '24 09:06 jpsla94

It looks like this regressed between 4.0.6 — which removed the pattern as part of https://github.com/micromatch/micromatch/commit/a4a4dbe9a516fcb828784eec4c990ff0e51cab6f — and 4.0.7 (which does not contain this commit).

Overall the release of 4.0.7 looks a little strange; the package.json file on master still states 4.0.6.

Edit: Looks like 4.0.7 was released based on the v4 branch, which looks to have diverged from master. I have created #260

jacobjmarks avatar Jun 03 '24 23:06 jacobjmarks

Thank you @jacobjmarks. Could kindly update this thread when the issue is fixed?

jpsla94 avatar Jun 04 '24 08:06 jpsla94

Hm, there's this 5-year old pinned issue at the top of the issues page.

Does it still apply today?

cchaglund avatar Jun 11 '24 05:06 cchaglund

Micromatch doesn't have a pined dependency on braces. if you remove your lock file, you'll get the latest version of braces with the fix

JeanMeche avatar Jun 11 '24 11:06 JeanMeche

@JeanMeche Which lock file are you talking about?

jpsla94 avatar Jun 11 '24 12:06 jpsla94

package-lock.json, yarn.lock or pnpm-lock.yaml.

JeanMeche avatar Jun 11 '24 12:06 JeanMeche

If you're using pnpm you can use pnpm up braces for a more fine-grained update than deleting the whole lock file.

lqc avatar Jun 12 '24 08:06 lqc

Hello,

I have the latest version of micromatch 4.0.7 and braces 3.0.3. I updated through override of the dependencies. But the vulnerability still appears on the security report.

Any more tips that I can try?

jpsla94 avatar Jun 17 '24 08:06 jpsla94

I downgraded to 4.0.6. in the meantime. Will close this topic now.

jpsla94 avatar Jul 09 '24 08:07 jpsla94

IIUC 4.0.7 still contains CVE-2024-4067 here.

master however seems to remedy the issue.. so waiting for a 4.0.8 :smile_cat:

manstis avatar Jul 22 '24 07:07 manstis

master is not backwards compatible. it needs to be fixed in backwards compatible way by someone.

paulmillr avatar Jul 22 '24 12:07 paulmillr

master is not backwards compatible. it needs to be fixed in backwards compatible way by someone.

Fair enough.. I naively saw it appeared fixed on master and assumed a 4.0.8 would fix it.

Of course, if master is not backwards compatible I would not expect it to be 4.0.8 but 5.x or 4.1.x at least.

manstis avatar Jul 22 '24 12:07 manstis

5.x is not useful to release, because micromatch is rarely used on its own. It's mostly in other packages and they can't really be bothered to be broken.

paulmillr avatar Jul 22 '24 12:07 paulmillr