CVE-2020-28469
Regex Denial of Service vulnerability in glob-parent
What is CVE-2020-28469 About?
This vulnerability affects the `glob-parent` package, allowing for a potential Regex Denial of Service (ReDoS) due to an inefficient regular expression. An attacker can craft a malicious string that causes excessive processing time, leading to application unresponsiveness. Exploitation is relatively easy if an attacker can inject specific input into the regex.
Affected Software
Technical Details
The vulnerability resides in the `glob-parent` package, specifically before version 5.1.2. It is caused by an inefficient regular expression used to check for strings ending in an enclosure containing a path separator. A crafted input string, designed to trigger worst-case backtracking behavior in the regex engine, can lead to an exponential increase in processing time. This 'catastrophic backtracking' consumes significant CPU resources, causing the application to become unresponsive or crash, thus resulting in a denial of service.
What is the Impact of CVE-2020-28469?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2020-28469?
Exploitation complexity is low to moderate, requiring an attacker to provide specially crafted input that is processed by the vulnerable regular expression. No specific authentication or privilege is typically required, as the input often originates from user-controlled data or external sources. The attack is generally remote, depending on how external input is fed into the `glob-parent` package. The primary prerequisite is that the application uses the vulnerable `glob-parent` version and processes user-supplied strings with the problematic regex. Risk factors include applications that handle untrusted file paths, URLs, or other string inputs that are then subject to glob pattern matching.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28469?
About the Fix from Resolved Security
The patch modifies a regular expression to correctly match pattern enclosures without allowing ambiguous trailing slashes, preventing catastrophic backtracking on crafted input like a large number of forward slashes. This fix mitigates the Regular Expression Denial of Service (ReDoS) vulnerability described in CVE-2020-28469 by ensuring that malicious patterns cannot exhaust resources, improving the application's resilience against DoS attacks.
Available Upgrade Options
- glob-parent
- >4.0.0, <5.1.2 → Upgrade to 5.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gulpjs/glob-parent/pull/36
- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9
- https://github.com/gulpjs/glob-parent
- https://nvd.nist.gov/vuln/detail/CVE-2020-28469
- https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093
- https://osv.dev/vulnerability/GHSA-ww39-953v-wcq6
- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093
- https://www.oracle.com/security-alerts/cpujan2022.html
What are Similar Vulnerabilities to CVE-2020-28469?
Similar Vulnerabilities: CVE-2020-28470 , CVE-2021-23336 , CVE-2021-23424 , CVE-2021-23425 , CVE-2021-23426
