Picomatch Method Injection Vulnerability in POSIX Character Classes Leading to Incorrect Glob Matching

A method injection vulnerability has been identified in Picomatch, a glob matcher written in JavaScript. This vulnerability affects versions prior to 4.0.4, 3.0.2, and 2.3.2. The issue arises in the 'POSIX_REGEX_SOURCE' object, which inherits from 'Object.prototype'. Crafted POSIX bracket expressions can reference inherited method names, which are then injected into the generated regular expression. This manipulation causes incorrect glob matching, where patterns may unintentionally match certain filenames. While the vulnerability does not allow remote code execution, it can lead to significant logic errors in applications that use glob patterns for validation, filtering, or access control. Users of affected Picomatch versions who handle untrusted or user-controlled glob patterns may be at risk.

Impact

Exploitation of this vulnerability can disrupt glob matching integrity, causing patterns to incorrectly match unintended files. This misalignment can introduce security-related logic errors in applications that depend on precise glob pattern matching for validation, filtering, or access control purposes.

Reproduction

The vulnerability can be reproduced by using a version of Picomatch that is prior to the patched releases and passing a crafted POSIX bracket expression, such as '[[:constructor:]]', into the 'makeRe' function. This expression will reference inherited method names from the 'Object.prototype', which will be injected into the regular expression used for glob matching. The injected methods can then disrupt the matching process, leading to incorrect results.

Remediation

Users should upgrade to Picomatch versions 4.0.4, 3.0.2, or 2.3.2. If an immediate upgrade is not possible, it is recommended to avoid using untrusted glob patterns with Picomatch, especially those containing POSIX character classes. Applications can also manually patch the library by modifying the 'POSIX_REGEX_SOURCE' to use a null prototype, ensuring that inherited methods cannot be accessed.