## micromatch NPM Package Exposed to Persistent ReDoS Vulnerability (CVE-2024-4067) A critical security flaw in the widely used `micromatch` NPM package persists despite a previous fix, leaving countless applications vulnerable to denial-of-service attacks. The vulnerability, tracked as CVE-2024-4067 with a MEDIUM severity score of 5.3, is a Regular Expression Denial of Service (ReDoS) issue in versions prior to 4.0.8. It resides in the `micromatch.braces()` function within `index.js`, where a greedy `.*` pattern can be exploited. Attackers can craft a malicious payload that causes the pattern matching to enter excessive backtracking, consuming system resources and potentially causing applications to hang or experience severe slowdowns as input size grows. The vulnerability's persistence is particularly alarming because a fix was previously merged, but subsequent testing confirmed the issue was not fully resolved. This indicates a deeper or more complex flaw in the pattern-matching logic than initially understood. The `micromatch` library is a fundamental dependency for glob pattern matching in the Node.js ecosystem, used by thousands of projects for file filtering and path matching, amplifying the potential impact of this vulnerability across the software supply chain. Developers and security teams must immediately verify their dependency trees and upgrade to `micromatch` version 4.0.8 or later to mitigate this risk. The continued presence of this flaw after a purported fix raises significant concerns about the security review and testing processes for critical open-source dependencies. Organizations relying on automated vulnerability scanners should ensure their systems are updated to detect this persistent CVE, as lingering unpatched instances could be exploited to disrupt application performance and availability. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, npm, vulnerability, ReDoS, open-source - **Credibility**: unverified - **Published**: 2026-03-27 06:27:07 - **ID**: 36947 - **URL**: https://whisperx.ai/en/intel/36947