MEDIUM · CVSS 5.3
CVE-2024-4067 — micromatch ReDoS
A regular-expression denial-of-service in `micromatch` — used by many build tools including webpack, Jest, and framework CLIs — allowed attacker-supplied glob patterns to hang the process.
Affects
- micromatch < 4.0.8
What an attacker does
The attacker supplies a glob pattern to any tool that passes untrusted input through micromatch (some config loaders, some test runners). The regex enters catastrophic backtracking; the process stalls.
How to detect
Search lockfile for micromatch < 4.0.8. It is pulled transitively by dozens of packages.
How to fix
Upgrade transitive dependencies to versions that pull micromatch 4.0.8+. In practice: `npm update` after checking for direct pins.
How Securie catches it
Securie's transitive-dep scanner finds this behind every framework.