Lucene search

Veracode Vulnerability DatabaseVERACODE:47283

HistoryMay 31, 2024 - 5:28 a.m.

Regular Expression Denial Of Service (ReDoS)

2024-05-3105:28:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

regular expression denial of service

micromatch

inefficient complexity

large payload

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability is due a regex expression with inefficient complexity within the micromatch.braces() method. An attacker can submit a large payload without a closing bracket, which results in Regular Expression Denial of Service (ReDoS) as the application slows down, hangs or crashes.

CPENameOperatorVersion
micromatchle4.0.5
micromatchle4.0.5
node-micromatch:sideq4.0.2+repack+~4.0.1-1

Name	Operator	Version
micromatch	le	4.0.5
micromatch	le	4.0.5
node-micromatch:sid	eq	4.0.2+repack+~4.0.1-1

References

github.com/advisories/GHSA-952p-6rrq-rcjv

github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448

github.com/micromatch/micromatch/issues/243

github.com/micromatch/micromatch/pull/247

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for VERACODE:47283