Fluid Attacks Database

Description

Regular Expression Denial of Service in minimatch Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }...

Recommendation

Update to version 3.0.2 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	minimatch	>=0 <3.0.2	3.0.2
debian 11	node-minimatch	>=0 <3.0.3-1	3.0.3-1
debian 12	node-minimatch	>=0 <3.0.3-1	3.0.3-1
debian 13	node-minimatch	>=0 <3.0.3-1	3.0.3-1
debian 14	node-minimatch	>=0 <3.0.3-1	3.0.3-1

Aliases

1. CVE-2016-105402. NVD-2016-105403. OSV-2016-105404. OSV-DEBIAN-2016-105405. GHSA-hxm2-r34f-qmc56. GCVE-2016-105407. SECURITY-TRACKER-CVE-2016-10540

References

1. https://www.npmjs.com/advisories/118