Minimatch
Monthly
Minimatch versions prior to 10.2.3 (and earlier affected versions) suffer from ReDoS vulnerabilities in nested extglob patterns that generate regexps with catastrophic backtracking, allowing remote attackers to cause denial of service with minimal input. A 12-byte glob pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching string can hang the application for 7+ seconds, with larger patterns stalling for minutes. Public exploit code exists and no patch is currently available, making this a critical risk for any application using the default minimatch API.
Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.
Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. The issue is resolved in version 10.2.1.
Minimatch versions prior to 10.2.3 (and earlier affected versions) suffer from ReDoS vulnerabilities in nested extglob patterns that generate regexps with catastrophic backtracking, allowing remote attackers to cause denial of service with minimal input. A 12-byte glob pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching string can hang the application for 7+ seconds, with larger patterns stalling for minutes. Public exploit code exists and no patch is currently available, making this a critical risk for any application using the default minimatch API.
Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.
Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. The issue is resolved in version 10.2.1.