minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Minimatch | Minimatch_project | * | 3.1.4 (excluding) |
| Minimatch | Minimatch_project | 4.0.0 (including) | 4.2.5 (excluding) |
| Minimatch | Minimatch_project | 5.0.0 (including) | 5.1.8 (excluding) |
| Minimatch | Minimatch_project | 6.0.0 (including) | 6.2.2 (excluding) |
| Minimatch | Minimatch_project | 7.0.0 (including) | 7.4.8 (excluding) |
| Minimatch | Minimatch_project | 8.0.0 (including) | 8.0.6 (excluding) |
| Minimatch | Minimatch_project | 9.0.0 (including) | 9.0.7 (excluding) |
| Minimatch | Minimatch_project | 10.0.0 (including) | 10.2.3 (excluding) |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.