Picomatch Regular Expression Denial-of-Service Vulnerability via Extglob Patterns

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Picomatch, a glob matcher for JavaScript. This issue affects versions 4.0.0 prior to 4.0.4, 3.0.0 prior to 3.0.2, and all versions prior to 2.3.2. The vulnerability arises when Picomatch processes crafted extglob patterns that include certain quantifiers, such as '+()' and '()*', particularly when these are nested or overlap. Such patterns can be transformed into regular expressions that cause catastrophic backtracking on non-matching inputs, leading to excessive CPU usage and blocking the Node.js event loop. Applications that allow untrusted users to supply glob patterns for Picomatch to process are at risk, while those using only trusted patterns are less likely to be affected.

Impact

Exploitation of this vulnerability can cause significant CPU consumption, disrupting the Node.js event loop and creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using Picomatch to process extglob patterns that include nested or overlapping quantifiers. For example, patterns like '+(a|aa)', '+(*|?)', and '*(+(a))' can be used to trigger the issue. When these patterns are passed to Picomatch, they are compiled into regular expressions that can cause catastrophic backtracking, effectively blocking the event loop for several seconds.

Remediation

Users are advised to upgrade to Picomatch versions 4.0.4, 3.0.2, or 2.3.2. If an immediate upgrade is not possible, it is recommended to avoid using untrusted glob patterns with Picomatch. Possible mitigations include disabling extglob support for untrusted patterns, sanitizing or rejecting patterns with nested extglobs or certain quantifiers, enforcing strict allowlists for accepted pattern syntax, and applying request throttling and input validation for endpoints that accept glob patterns.