A denial-of-service vulnerability has been identified in the Minimatch library, specifically in versions 10.0.0 prior to 10.2.3, 9.0.0 prior to 9.0.7, 8.0.0 prior to 8.0.6, 7.0.0 prior to 7.4.8, 6.0.0 prior to 6.2.2, 5.0.0 prior to 5.1.8, 4.0.0 prior to 4.2.5, and all versions through 3.1.3. The issue arises when nested `*()` and `+()` extglobs create regular expressions with unbounded quantifiers, leading to catastrophic backtracking in V8. This backtracking can be exploited to stall the Node.js event loop for an extended period, with the severity of the impact increasing with the depth of nesting and the length of the input.
Exploitation of this vulnerability causes significant delays in processing, with the potential to starve the Node.js event loop and disrupt the execution of other tasks or requests.
The vulnerability can be reproduced by using the `minimatch()` function with a pattern that includes nested `*()` extglobs, such as `*(*(*(a|b)))`, and a non-matching input that triggers the backtracking, like 18 characters of 'a' followed by 'z'. This can be done through a simple Node.js script or by setting up an HTTP server that processes requests with the vulnerable pattern and input, demonstrating the impact on event loop concurrency.
Users can mitigate this vulnerability by updating to Minimatch versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4. Applications that do not require extglob syntax should also pass the option `{ noext: true }` to the `minimatch()` function when handling untrusted patterns.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
