MEDIUM · CVSS 5.3
CVE-2024-4067 — micromatch ReDoS
A regular-expression denial-of-service in `micromatch` — used by many build tools including webpack, Jest, and framework CLIs — allowed attacker-supplied glob patterns to hang the process.
Affects
- micromatch < 4.0.8
What an attacker does
The attacker supplies a glob pattern to any tool that passes untrusted input through micromatch (some config loaders, some test runners). The regex enters catastrophic backtracking; the process stalls.
How to detect
Search lockfile for micromatch < 4.0.8. It is pulled transitively by dozens of packages.
How to fix
Upgrade transitive dependencies to versions that pull micromatch 4.0.8+. In practice: `npm update` after checking for direct pins.
Securie findingmedium · CVSS 5.3
CVE-2024-4067How Securie catches CVE-2024-4067
Securie's transitive-dependency specialist finds this behind every framework.
Scan my repo for CVE-2024-4067 →Securie reviews every PR · proves real issues · opens verified fix PRs