CVE-2024-4067 - Critical ReDoS Vulnerability in NPM Package `micromatch`

The Node.js package micromatch, which is widely used for matching file system paths using glob patterns, has a critical Regular Expression Denial of Service (ReDoS) vulnerability. This post will describe the bug in detail, provide a code snippet to reproduce the issue, and discuss how Original References tackled the problem. We'll also discuss ways to mitigate the vulnerability and exploit details.

The Vulnerability Background

micromatch.braces() in index.js is vulnerable to ReDoS when a malicious regular expression pattern is provided as input. The issue lies in the pattern .* greedily matching any character sequence. This greedy approach causes the pattern matching to repeatedly backtrack against the input, searching for a closing brace {}. As the input size increases, processing time also rises, causing the application to hang or slow down significantly.

Original References

A pull request, which was later merged, attempted to address this vulnerability. The following links provide more information about the vulnerability, the discussion around it, and the proposed fix:

1. Original Issue: https://github.com/micromatch/micromatch/issues/213
2. Pull Request: https://github.com/micromatch/micromatch/pull/214
3. Merged Fix: https://github.com/micromatch/micromatch/commit/b58a8daf79aba383efc15629b1e73940a8ee5db1

However, further testing showed that the issue was not completely resolved. The vulnerability persists, and the current implementation is still susceptible to ReDoS attacks.

Code Snippet to Reproduce the Issue

The following code snippet demonstrates how to exploit the ReDoS vulnerability in micromatch.braces():

const micromatch  = require('micromatch');

// Malicious payload where matching takes a long time
const maliciousPattern = "{aaaaaaaaaaaaaaaaaaaX";
const userInput = "123456789";

// Call to vulnerable micromatch.braces function
const result = micromatch.braces(maliciousPattern + userInput);

In this example, the maliciousPattern is a specially crafted input that triggers the ReDoS vulnerability. When used in combination with regular user input, an attacker can slow down the host system.

Exploit Details

An attacker can leverage this vulnerability by crafting a malicious regular expression and luring a user or automated process into triggering the vulnerable micromatch.braces() method. This could result in severe performance impacts or even complete unresponsiveness of systems running applications that use the micromatch package.

Mitigating the Vulnerability

To address this issue, developers should modify the pattern matching implementation to avoid backtracking due to greedy matching. Adopting a non-greedy pattern matching approach will help prevent ReDoS attacks even when malicious payloads are provided as input.

In Conclusion

CVE-2024-4067 is a critical ReDoS vulnerability affecting the widely used NPM package micromatch. It is essential for developers to implement safer pattern matching techniques to mitigate the risks associated with this security flaw. Additionally, it is crucial to keep up-to-date with the ongoing discussions and potential fixes related to this and similar issues.

Timeline

Published on: 05/14/2024 15:42:47 UTC
Last modified on: 05/22/2024 12:15:10 UTC