CVE-2022-3517 — Uncontrolled Resource Consumption in Project Minimatch

CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Minimatch Project Minimatch Debian Node-minimatch Debian Linux +1 more

Timeline

PublishedOct 17

Latest updateDec 3

Description

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/node-minimatch< node-minimatch 3.0.5+~3.0.5-1 (bookworm)

▶NVDminimatch_project/minimatch< 3.0.5

▶npmminimatch_project/minimatch< 3.0.5

▶CVEListV5minimatch_project/minimatchminimatch versions prior to 3.0.5

Also affects: Debian Linux 10.0, Fedora 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

minimatch ReDoS vulnerability↗2022-10-18

▶

OSV

minimatch ReDoS vulnerability↗2022-10-18

▶

OSV

CVE-2022-3517: A vulnerability was found in the minimatch package↗2022-10-17

▶

📋Vendor Advisories

Ubuntu

minimatch vulnerability↗2023-05-18

▶

Red Hat

nodejs-minimatch: ReDoS via the braceExpand function↗2022-02-06

▶

Oracle

Oracle Oracle Systems Risk Matrix: Operating System Image — CVE-2021-3517↗2022-01-15

▶

Debian

CVE-2022-3517: node-minimatch - A vulnerability was found in the minimatch package. This flaw allows a Regular E...↗2022

▶

📄Research Papers

arXiv

WildCode: An Empirical Analysis of Code Generated by ChatGPT↗2025-12-03

▶