Platform
nodejs
Component
minimatch
Fixed in
2.5.4
CVE-2022-3517 describes a Regular Expression Denial of Service (ReDoS) vulnerability within the minimatch package. This flaw occurs when the braceExpand function is called with maliciously crafted arguments, leading to excessive resource consumption and ultimately a Denial of Service (DoS). This issue affects versions of minimatch prior to 3.0.5. Version 3.0.5 contains the necessary fix to mitigate this vulnerability.
A vulnerability has been identified in the minimatch package, specifically within the braceExpand function. CVE-2022-3517 details a Regular Expression Denial of Service (ReDoS) vulnerability that can be exploited by providing specific arguments to this function. An attacker could send a malicious input designed to cause the function to consume an excessive amount of system resources (CPU, memory), potentially leading to application instability or complete failure. The vulnerability has been rated with a CVSS score of 7.5, indicating a significant risk. It's crucial to update minimatch to version 3.0.5 or higher to mitigate this risk. This vulnerability impacts projects that use minimatch for file pattern matching, such as build tools, content management systems, and other applications relying on file pattern expansion.
The vulnerability is exploited by sending a carefully crafted input string to the braceExpand function of minimatch. This string is designed to trigger excessive backtracking behavior within the underlying regular expression, leading to disproportionate system resource consumption. The attacker does not require special privileges to exploit this vulnerability, as they can send the malicious input through a user interface or API. The complexity of the regular expression makes it difficult to detect and prevent without a specific fix. The likelihood of exploitation is high if applications do not adequately validate user input used in the braceExpand function. Exploitation can be silent, as the attack may not generate visible errors immediately but simply degrade system performance over time.
Exploit Status
EPSS
0.45% (64% percentile)
CVSS Vector
The primary mitigation for CVE-2022-3517 is to update the minimatch library to version 3.0.5 or higher. This version includes a fix that prevents the ReDoS attack. If an immediate update isn't possible, review the code that utilizes braceExpand to identify potential entry points for malicious data. Input validation can be implemented to limit the complexity of patterns passed to the function. Additionally, monitoring system resource usage (CPU, memory) in applications using minimatch can help detect ongoing ReDoS attacks. Implementing a Web Application Firewall (WAF) can provide an additional layer of protection by filtering potentially malicious input patterns. The update is the most effective and recommended solution.
Actualice el paquete minimatch a la versión 2.5.4 o superior para mitigar el riesgo de denegación de servicio por ReDoS. Puede hacerlo utilizando npm o yarn: `npm install minimatch@latest` o `yarn add minimatch@latest`.
Vulnerability analysis and critical alerts directly to your inbox.
ReDoS (Regular Expression Denial of Service) is a type of DoS attack that exploits the complexity of regular expressions to consume an excessive amount of system resources.
Not necessarily. It affects applications that use the braceExpand function and do not adequately validate user input.
Review the code that uses braceExpand and consider implementing input validation to limit the complexity of patterns.
Monitor system resource usage (CPU, memory) in applications using minimatch. A sudden and sustained increase in resource usage could indicate an attack.
There are static and dynamic analysis tools that can help identify complex and potentially vulnerable regular expression patterns.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.