minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333

minimatch 安全漏洞

minimatch是isaacs个人开发者的一个 javascript 中的全局匹配器。 minimatch 10.2.3之前版本、9.0.7之前版本、8.0.6之前版本、7.4.8之前版本、6.2.2之前版本、5.1.8之前版本、4.2.5之前版本和3.1.4之前版本存在安全漏洞，该漏洞源于嵌套*()扩展通配符产生具有嵌套无界量词的正则表达式，可能导致灾难性回溯。

N/A

N/A