CVE-2016-10540
regular expression denial of service vulnerability in minimatch (npm)

regular expression denial of service No known exploit Fixable By Resolved Security

What is CVE-2016-10540 About?

Affected versions of `minimatch` are vulnerable to regular expression denial of service (ReDoS) attacks. This occurs when untrusted user input is passed as the `pattern` argument, causing the regular expression engine to consume excessive resources. The impact is a denial of service. Exploitation is easy by supplying a crafted pattern.

Affected Software

minimatch <3.0.2

Technical Details

The minimatch package, in affected versions, is vulnerable to a regular expression denial of service (ReDoS) attack. This vulnerability specifically arises when untrusted user input is supplied as the pattern argument to the minimatch(path, pattern) function. The regular expressions used internally by minimatch for pattern matching, particularly those handling character classes and quantifiers, exhibit catastrophic backtracking behavior. An attacker can craft a pattern string that, when evaluated against a corresponding path, causes the regular expression engine to explore an exponentially increasing number of paths. This leads to a significant increase in CPU time, memory consumption, and ultimately, an application slowdown or complete unresponsiveness, resulting in a denial of service.

What is the Impact of CVE-2016-10540?

Successful exploitation may allow attackers to cause a denial of service, leading to service unavailability, application unresponsiveness, and resource exhaustion.

What is the Exploitability of CVE-2016-10540?

Exploitation of this regular expression denial of service (ReDoS) vulnerability is of low complexity. The primary requirement is the ability to provide untrusted user input to a system that uses the affected minimatch library, specifically where this input is used as the pattern argument. No authentication or elevated privileges are necessary. The attack is remote, as it involves sending a carefully crafted string to a service. Prerequisites include the target application using the minimatch library in an affected version and processing user-controlled input as a pattern. The provided proof-of-concept demonstrates how straightforward it is to generate a payload that can significantly delay or crash the application, making the risk of exploitation high in vulnerable contexts.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2016-10540?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch mitigates catastrophic backtracking and regular expression denial of service (ReDoS) by limiting input pattern length, capping certain regex operations, and handling invalid regular expressions safely. This addresses CVE-2016-10540 by preventing attackers from triggering performance issues or crashes via maliciously crafted, excessively long patterns that would previously cause excessive resource consumption or exceptions.

Available Upgrade Options

  • minimatch
    • <3.0.2 → Upgrade to 3.0.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2016-10540?

Similar Vulnerabilities: CVE-2017-16099 , CVE-2017-16116 , CVE-2018-3729 , CVE-2019-10744 , CVE-2020-28498

All Rights reserved 2025
Privacy Policy