Actions Toolkit Glob Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Actions Toolkit version 0.5.0, specifically within the glob component. The issue arises in the globEscape function of the file internal-pattern.ts, where inefficient regular expression complexity can be exploited. This vulnerability allows context-dependent attackers to cause high CPU usage and application freezing by embedding maliciously constructed code blocks in parsed Markdown. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability leads to a regular expression denial-of-service (ReDoS) condition, causing excessive CPU consumption and potential application unresponsiveness.

Reproduction

The vulnerability can be reproduced by using Actions Toolkit version 0.5.0 and introducing specially crafted input strings that exploit the globEscape function in the internal-pattern.ts file. This can be done by embedding malicious code blocks in Markdown that the glob component parses, triggering the inefficient regular expression handling.