Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
Vulnerability Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
CWE-1333
Vulnerability Title
minimatch 安全漏洞
Vulnerability Description
minimatch是isaacs个人开发者的一个 javascript 中的全局匹配器。 minimatch 10.2.3之前版本、9.0.7之前版本、8.0.6之前版本、7.4.8之前版本、6.2.2之前版本、5.1.8之前版本、4.2.5之前版本和3.1.4之前版本存在安全漏洞,该漏洞源于嵌套*()扩展通配符产生具有嵌套无界量词的正则表达式,可能导致灾难性回溯。
CVSS Information
N/A
Vulnerability Type
N/A