CVE-2016-10540 — Uncontrolled Resource Consumption in Node-minimatch

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-minimatch Minimatch Project Minimatch Hackerone Minimatch Node Module

Timeline

PublishedMay 31

Latest updateMar 15

Description

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/node-minimatch< node-minimatch 3.0.3-1 (bookworm)

▶npmminimatch_project/minimatch< 3.0.2

▶NVDminimatch_project/minimatch3.0.1

▶CVEListV5hackerone/minimatch_node_module<=3.0.1

🔴Vulnerability Details

OSV

Regular Expression Denial of Service in minimatch↗2018-10-09

▶

GHSA

Regular Expression Denial of Service in minimatch↗2018-10-09

▶

OSV

CVE-2016-10540: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects↗2018-05-31

▶

📋Vendor Advisories

Ubuntu

minimatch vulnerability↗2021-03-15

▶

Debian

CVE-2016-10540: node-minimatch - Minimatch is a minimal matching utility that works by converting glob expression...↗2016

▶