minimatch Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability exists in minimatch versions prior to 10.2.0. The issue arises when a glob pattern includes multiple consecutive '*' wildcards followed by a literal character that is not present in the test string. Each '*' wildcard is translated into a separate '[^/]*?' regex group. When the match fails, this causes V8's regex engine to backtrack exponentially across all possible splits, leading to significant performance degradation. The vulnerability can be exploited in any application that allows user-controlled strings to be passed to the minimatch() function as the pattern argument.

Impact

Exploitation of this vulnerability can cause applications to hang indefinitely or experience severe slowdowns, effectively leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, use minimatch with a pattern that includes a large number of consecutive '*' wildcards followed by a character that does not exist in the target string. For example, a pattern with 34 consecutive '*' wildcards followed by a character not present in the test string will cause the minimatch() function to hang indefinitely.

Remediation

Users can upgrade to minimatch version 10.2.1 or later to address this vulnerability.