Overview
About vulnerability
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn’t appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8’s regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.Details
- Affected product:
- @bazel/typescript , @microsoft/api-extractor , @rollup/plugin-commonjs , Acorn , AlmaLinux 9.2 ESU , Next.js , Node.js , Protocol Buffers , React , TuxCare 9.6 ESU , archiver-utils , autodll-webpack-plugin , babel , babel-plugin-module-resolver , cacache , clang-format , cli , copy-concurrently , del , eslint-import-resolver-typescript , eslint-plugin-import , eslint-plugin-jsx-a11y , eslint-plugin-react , firefox-profile , fs-extra , fstream , glob , globby , jasmine-npm , jpm , karma , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , maximatch , minimatch , move-concurrently , move-file , multimatch , pdfjs-dist , postcss-functions , protractor , purgecss , recursive-copy , recursive-readdir , remix , rimraf , selenium-webdriver , shelljs , sort-package-json , strong-error-handler , strong-globalize , strong-remoting , tailwindcss , tar , terser-webpack-plugin , tmp , uglifyjs-webpack-plugin , webdriver-js-extender , webdriver-manager , webpack , webpack-dev-server , yamljs
- Affected packages:
- icu @ 67.1 (+265 more)