Overview
About vulnerability
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn’t appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8’s regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.Details
- Affected product:
- @bazel/concatjs , @bazel/typescript , @microsoft/api-extractor , @rollup/plugin-commonjs , Acorn , AlmaLinux 9.2 ESU , Angular , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Next.js , Node.js , Protocol Buffers , React , TuxCare 9.6 ESU , archiver-utils , astro , autodll-webpack-plugin , aws-crt-nodejs , aws-sdk-js-v3 , b4a , babel , babel-jest , babel-loader , babel-plugin-codegen , babel-plugin-istanbul , babel-plugin-module-resolver , babel-preset-expo , bare-fs , bare-stream , bin-links , bottom-tabs , cacache , cache-loader , cacheable , chromium-edge-launcher , clang-format , cli , cli-clean , components , config-array , copy-concurrently , credential-provider-cognito-identity , credential-provider-login , db0 , del , dev-middleware , devtools , drawer , drizzle-orm , eslint , eslint-import-resolver-typescript , eslint-plugin-import , eslint-plugin-jsx-a11y , eslint-plugin-react , eslint-plugin-vue , eslintrc , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , file-loader , firefox-profile , friendly-errors-webpack-plugin , fs-extra , fs-vacuum , fstream , gaze , gentle-fs , gh-pages , glob , globby , grunt , grunt-karma , hard-source-webpack-plugin , help-me , ignore-walk , init-package-json , jasmine-npm , jest , jest-circus , jest-preset , jest-runtime , jest-transform , jpm , jscodeshift , karma , karma-jasmine , karma-junit-reporter , karma-requirejs , libcipm , libnpm , libnpmhook , libnpmorg , libnpmteam , lock-verify , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , make-fetch-happen , masked-view , maximatch , metro , metro-runtime , minimatch , mongodb , mongodb-client-encryption , mongoose , mongoose-legacy-pluralize , move-concurrently , move-file , mqtt.js , multimatch , native-stack , ng-packagr , nitro , npm , npm-lifecycle , npm-packlist , npm-profile , npm-registry-fetch , npx , nuxt , offline-plugin , op-sqlite , optimize-css-assets-webpack-plugin , pacote , pdfjs-dist , platform-ios , postcss-functions , postcss-url , progress-bar-webpack-plugin , protractor , puppeteer , purgecss , read-installed , read-package-json , read-package-tree , recursive-copy , recursive-readdir , remix , rewrite , rimraf , rnx-kit , sass-graph , sass-loader , selenium-webdriver , sharp , shelljs , sort-package-json , storybook , streamx , strong-error-handler , strong-globalize , strong-remoting , style-resources-loader , stylus , tailwindcss , tar , tar-fs , tar-stream , teex , tempy , terser-webpack-plugin , test-exclude , text-decoder , tmp , token-providers , true-case-path , tslint , typescript-eslint , uglifyjs-webpack-plugin , unstorage , vector-icons , vercel , vetur , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector , vscode-languageserver-node , vti , webdriver-js-extender , webdriver-manager , webpack , webpack-dev-middleware , webpack-dev-server , webpack-subresource-integrity , webpackbar , yamljs
- Affected packages:
- tmp @ 0.2.1 (+979 more)