-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inefficient Regular Expression Complexity vulnerability with High severity found #249
Inefficient Regular Expression Complexity vulnerability with High severity found #249
Comments
@babradshaw this pull request should fix it. Hopefully the maintainers can merge this asap |
@babradshaw any update on the above micromatch:4.0.5 ? |
any updates on the above ? new release ? |
Hi @jonschlinkert, We have followed all the guidelines for responsible disclosure. We remind you that we didn't get a direct response from you. We have tested the latest micromatch version, 4.0.7, and the ReDoS vulnerability – CVE-2024-4067 – still exists. Our PoC showed the program will hang for longer as the size of the input increases, which can cause Denial of Service. Therefore, updating braces (92d490d) won't solve this vulnerability. We understand your concerns, and it's a far-fetched situation to encounter the vulnerability in a dependency, but as reported in our email, it's still possible. We maintain our position that it's a valid vulnerability. However, we considered that the score was initially too high for the real impact it can have, so we have recalculated its severity accordingly. Regarding CVE-2024-4068, we confirm it was fixed in braces version 3.0.3. Best regards, |
@MarioTeixeiraCx send me an email with vuln. I have repo and npm access |
Thank you, @paulmillr. I have forwarded the email thread. |
Being flagged as vulnerable package:
Dependency npm:micromatch:4.0.5 is vulnerable
Cxca84a1c2-1f12 7.5 Inefficient Regular Expression Complexity vulnerability with High severity found
Results powered by Checkmarx(c)
The text was updated successfully, but these errors were encountered: