[GHSA-ww39-953v-wcq6] glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.67k stars 304 forks source link

Closed sealonohana closed 1 week ago

sealonohana commented 1 week ago

Updates

Comments Version 2.0.0 did not use RegEx to detect and extract the parent path from a glob string. It used do-while loop and thepath.dirname method: https://github.com/gulpjs/glob-parent/tree/f5974fd556d2d8428de3521be394771ae4fd23f3 https://github.com/gulpjs/glob-parent/blob/f5974fd556d2d8428de3521be394771ae4fd23f3/index.js

Also, the PoC of the ReDoS does not work for version 2.0.0.