CVE-2016-10540:Minimatch 3.0.1 and earlier is vulnerable to Regular Expression Denial of Service (ReDoS) through malicious pattern parameters.

splash
Back

Description Preview

Minimatch is a JavaScript utility used for matching file paths against glob patterns by converting these patterns into regular expressions. In versions 3.0.1 and earlier, when the minimatch(path, pattern) function processes user-controlled pattern inputs, it can be forced into processing extremely inefficient regular expressions that cause excessive CPU consumption, leading to a denial of service condition. This vulnerability allows attackers to provide specially crafted patterns that cause the application to hang or become unresponsive.

Overview

Minimatch is widely used in Node.js applications for file path matching and glob pattern processing. The vulnerability exists in the core matching functionality where user-supplied glob patterns are converted to regular expressions without proper validation or safeguards against exponential backtracking. When a malicious pattern is processed, it can trigger catastrophic backtracking in the regular expression engine, causing the application to consume excessive CPU resources and potentially become unresponsive. This is particularly dangerous in server environments where the application processes user input directly or indirectly through this library.

Remediation

To remediate this vulnerability, take the following actions:

  1. Update Minimatch to version 3.0.2 or later, which includes fixes for this ReDoS vulnerability.
  2. If immediate updating is not possible, implement input validation to restrict the complexity of patterns passed to the minimatch function.
  3. Consider adding timeout mechanisms when processing potentially untrusted pattern inputs.
  4. Review your application for instances where user input might be passed to minimatch, either directly or indirectly.
  5. Monitor CPU usage of applications using Minimatch to detect potential exploitation attempts.

References

  1. Node Security Project Advisory: https://nodesecurity.io/advisories/118
  2. CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
  3. OWASP Regular Expression Denial of Service - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  3. Management of Companies & Enterprises
    Management of Companies & Enterprises
  4. Retail Trade
    Retail Trade
  5. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  6. Finance and Insurance
    Finance and Insurance
  7. Public Administration
    Public Administration
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Transportation & Warehousing
    Transportation & Warehousing
  10. Educational Services
    Educational Services
  11. Other Services (except Public Administration)
    Other Services (except Public Administration)
  12. Accommodation & Food Services
    Accommodation & Food Services
  13. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  14. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  15. Construction
    Construction
  16. Information
    Information
  17. Mining
    Mining
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database