Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
Vulnerability Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVSS Information
N/A
Vulnerability Type
CWE-1333
Vulnerability Title
minimatch 安全漏洞
Vulnerability Description
minimatch是isaacs个人开发者的一个 javascript 中的全局匹配器。 minimatch 10.2.0及之前版本存在安全漏洞,该漏洞源于处理包含多个连续通配符的glob模式时存在正则表达式拒绝服务漏洞。
CVSS Information
N/A
Vulnerability Type
N/A