プラットフォーム
nodejs
コンポーネント
glob-parent
修正版
5.1.2
5.1.2
CVE-2020-28469 describes a Denial of Service (DoS) vulnerability affecting the glob-parent package, a dependency commonly used in Node.js projects. The vulnerability stems from an inefficient regular expression used to validate strings ending in enclosure characters. Exploitation can lead to resource exhaustion and application instability, potentially impacting availability. This vulnerability affects versions of glob-parent prior to 5.1.2, and a fix is available in version 5.1.2.
An attacker can trigger this DoS vulnerability by crafting malicious input that exploits the flawed regular expression within glob-parent. This can lead to excessive CPU usage, memory consumption, or both, effectively causing the Node.js application to become unresponsive or crash. The blast radius depends on the application's architecture and resource limits; a single malicious request could impact the entire server if resources are not properly managed. While no direct data exfiltration is possible, the denial of service can disrupt critical services and potentially be used as a distraction for other attacks.
CVE-2020-28469 was publicly disclosed on June 7, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely distributed, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Node.js developers and system administrators who use the glob-parent package as a dependency in their projects are at risk. This includes applications that rely on glob patterns for file system traversal or pattern matching. Projects using older versions of Node.js or those with complex dependency chains are particularly vulnerable.
• nodejs / server:
npm list glob-parentIf the output shows a version less than 5.1.2, the system is vulnerable. • nodejs / server:
npm audit glob-parentThis command will identify vulnerable dependencies and suggest updates. • generic web: Monitor Node.js application logs for excessive CPU usage or memory allocation related to glob pattern processing. Look for patterns of repeated errors or warnings associated with regular expression matching.
discovery
disclosure
エクスプロイト状況
EPSS
0.89% (75% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2020-28469 is to upgrade the glob-parent package to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing rate limiting or input validation to restrict the size and complexity of strings passed to glob patterns. Web application firewalls (WAFs) configured to detect and block excessive resource consumption patterns could also provide a temporary layer of protection. Monitor Node.js application performance for unusual CPU or memory spikes, which could indicate exploitation attempts.
Actualice la dependencia glob-parent a la versión 5.1.2 o superior. Esto corrige la vulnerabilidad ReDoS en la expresión regular utilizada para verificar cadenas que terminan en un delimitador que contiene un separador de ruta. Ejecute `npm install glob-parent@latest` o `yarn upgrade glob-parent` para actualizar.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-28469 is a Denial of Service vulnerability in the glob-parent Node.js package, allowing attackers to cause resource exhaustion through crafted input.
You are affected if your Node.js project uses glob-parent versions prior to 5.1.2. Run npm list glob-parent to check your version.
Upgrade the glob-parent package to version 5.1.2 or later using npm install [email protected].
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the npm advisory for CVE-2020-28469: https://www.npmjs.com/advisories/1188