CVE-2022-3517
Regular Expression Denial of Service (ReDoS) vulnerability in minimatch
What is CVE-2022-3517 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) found in the `minimatch` package. It allows an attacker to trigger excessive processing when calling the `braceExpand` function with specific arguments, leading to an application-level Denial of Service. This ReDoS is relatively easy to trigger with crafted input.
Affected Software
Technical Details
The `minimatch` package is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw arises when the `braceExpand` function is called with specifically crafted arguments. The regular expression used within this function, when confronted with a pathological input string, can backtrack excessively and consume an inordinate amount of CPU time. This uncontrolled processing can lock up the thread or process handling the malicious input, effectively causing a Denial of Service (DoS) for the application using the `minimatch` package. The attack vector involves supplying a specially designed string that exploits the regex's inefficiency during the brace expansion operation.
What is the Impact of CVE-2022-3517?
Successful exploitation may allow attackers to cause the application to become unresponsive or crash due to excessive CPU utilization, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2022-3517?
Exploitation is of low complexity and involves crafting a specific input string that triggers the ReDoS when processed by `minimatch`'s `braceExpand` function. No authentication or special privileges are typically required, as the attack targets how the application processes pattern-matching inputs. Access can be remote if the application exposes functionality that processes user-controlled strings using `minimatch`. The primary prerequisite is that the application uses the `minimatch` package and processes untrusted input through the vulnerable function. Risk factors include libraries or applications where user-supplied patterns or filenames are globbed or expanded without sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-3517?
About the Fix from Resolved Security
This patch fixes CVE-2022-3517 by adding strict validation of pattern types and lengths, rejecting non-string or excessively long patterns to prevent denial-of-service via catastrophic backtracking or resource exhaustion. The introduced assertValidPattern function is used across all entry points to consistently enforce these restrictions, closing the avenue for attackers to supply malicious patterns that can crash or hang the application.
Available Upgrade Options
- minimatch
- <3.0.5 → Upgrade to 3.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/grafana/grafana-image-renderer/issues/329
- https://github.com/isaacs/minimatch
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://github.com/nodejs/node/issues/42510
- https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html
- https://github.com/grafana/grafana-image-renderer/issues/329
- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6
- https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3
- https://nvd.nist.gov/vuln/detail/CVE-2022-3517
What are Similar Vulnerabilities to CVE-2022-3517?
Similar Vulnerabilities: CVE-2022-25858 , CVE-2022-24434 , CVE-2022-22970 , CVE-2023-28155 , CVE-2023-26116
