Platform
nodejs
Component
glob-parent
Fixed in
5.1.2
5.1.2
CVE-2020-28469 describes a Denial of Service (DoS) vulnerability affecting the glob-parent package, a dependency commonly used in Node.js projects. The vulnerability stems from an inefficient regular expression used to validate strings ending in enclosure characters. Exploitation can lead to resource exhaustion and application instability, potentially impacting availability. This vulnerability affects versions of glob-parent prior to 5.1.2, and a fix is available in version 5.1.2.
An attacker can trigger this DoS vulnerability by crafting malicious input that exploits the flawed regular expression within glob-parent. This can lead to excessive CPU usage, memory consumption, or both, effectively causing the Node.js application to become unresponsive or crash. The blast radius depends on the application's architecture and resource limits; a single malicious request could impact the entire server if resources are not properly managed. While no direct data exfiltration is possible, the denial of service can disrupt critical services and potentially be used as a distraction for other attacks.
CVE-2020-28469 was publicly disclosed on June 7, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely distributed, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.89% (75% percentile)
CVSS Vector
The primary mitigation for CVE-2020-28469 is to upgrade the glob-parent package to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing rate limiting or input validation to restrict the size and complexity of strings passed to glob patterns. Web application firewalls (WAFs) configured to detect and block excessive resource consumption patterns could also provide a temporary layer of protection. Monitor Node.js application performance for unusual CPU or memory spikes, which could indicate exploitation attempts.
Update the glob-parent dependency to version 5.1.2 or higher. This corrects the ReDoS (Regular Expression Denial of Service) vulnerability in the regular expression used to verify strings ending in a delimiter containing a path separator. Run `npm install glob-parent@latest` or `yarn upgrade glob-parent` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-28469 is a Denial of Service vulnerability in the glob-parent Node.js package, allowing attackers to cause resource exhaustion through crafted input.
You are affected if your Node.js project uses glob-parent versions prior to 5.1.2. Run npm list glob-parent to check your version.
Upgrade the glob-parent package to version 5.1.2 or later using npm install [email protected].
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the npm advisory for CVE-2020-28469: https://www.npmjs.com/advisories/1188
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.