Listen to this Post
The vulnerability stems from how older versions of Minimatch (prior to 3.0.2) convert glob patterns into JavaScript `RegExp` objects. Specifically, each asterisk () in a user-supplied pattern is compiled into a `[^/]?` regex group . When a pattern contains many consecutive asterisks followed by a literal character that does not exist in the target string, the V8 regex engine enters a catastrophic backtracking state. For a pattern like `X`, the regex must try every possible way to distribute the characters across the lazy quantifiers before failing. The time complexity is exponential, calculated as O(4^N) where N is the number of characters. With N=15, a single `minimatch()` call takes approximately 2 seconds; with N=34, the function hangs indefinitely, causing a Denial of Service (DoS) .
DailyCVE Form:
Platform: npm
Version: <=3.0.1
Vulnerability : ReDoS
Severity: High
Date: 2018-05-31
Prediction: Patched 2018
What Undercode Say:
Analytics:
This vulnerability is specific to the `pattern` argument of the `minimatch()` function. Attackers do not need authentication or user interaction, making it easy to exploit remotely. The flaw exists in the regex generation logic where `minimatch.js` converts globs to regex without limiting pattern complexity . The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact . While the package is widely used in build tools and file watchers, the “brace expansion” function (braceExpand) was also identified as a separate ReDoS vector in later analysis (CVE-2022-3517), though CVE-2016-10540 specifically targets the primary matching function .
Exploit:
Simulate the vulnerability using Node.js Install vulnerable version npm install [email protected] Create a test script cat > test-redos.js << 'EOF' const minimatch = require('minimatch'); // Malicious pattern with 34 asterisks and a missing character const maliciousPattern = 'X'; const testString = 'some/path'; console.time('minimatch'); try { minimatch(testString, maliciousPattern); } catch (e) { console.log('Error:', e); } console.timeEnd('minimatch'); EOF Run the script (Warning: May hang or consume high CPU) node test-redos.js
Protection from this CVE:
Upgrade to the patched version (3.0.2 or later) npm install [email protected] Verify the installed version npm list minimatch If you cannot upgrade, implement input validation: Limit pattern length and reject patterns with excessive '' node -e "console.log(process.argv[bash].length > 50 ? 'Reject' : 'Accept')" "X" Use a safer alternative like 'micromatch' (if applicable) npm install micromatch
Impact:
Any application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable . This includes file search UIs, .gitignore-style filters with user-defined rules, build tools accepting glob configurations, and any API exposing glob matching to untrusted input . Successful exploitation leads to excessive CPU consumption and application unresponsiveness, effectively crashing the Node.js process or thread .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

