CVE-2022-3517 Overview
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the minimatch package, a popular glob matching library for Node.js. This flaw allows attackers to trigger excessive CPU consumption when the braceExpand function is called with specially crafted input arguments, resulting in a Denial of Service condition. The minimatch package is widely used as a dependency in numerous Node.js projects, making this vulnerability particularly impactful across the JavaScript ecosystem.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to cause service disruption through CPU exhaustion, affecting any application using vulnerable versions of minimatch for glob pattern matching.
Affected Products
- minimatch_project minimatch (Node.js)
- Debian Linux 10.0
- Fedora 36 and 37
Discovery Timeline
- 2022-10-17 - CVE-2022-3517 published to NVD
- 2025-05-13 - Last updated in NVD database
Technical Details for CVE-2022-3517
Vulnerability Analysis
This vulnerability is a Regular Expression Denial of Service (ReDoS) attack affecting the minimatch package's braceExpand function. ReDoS vulnerabilities occur when a regular expression implementation exhibits exponential time complexity for certain input patterns. In this case, the braceExpand function, which handles brace expansion in glob patterns, contains a regex pattern that can be exploited by providing maliciously crafted input strings.
When a vulnerable regex encounters an adversarial input, the regex engine's backtracking mechanism causes the evaluation time to grow exponentially with input length. This allows a remote attacker to submit specially crafted glob patterns that force the application to consume excessive CPU resources, effectively blocking legitimate requests and causing service unavailability.
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity), both of which highlight the fundamental issue of algorithmic complexity attacks against regex-based input processing.
Root Cause
The root cause of this vulnerability lies in the inefficient regular expression pattern used within the braceExpand function. The regex contains nested quantifiers or overlapping patterns that trigger catastrophic backtracking when processing certain input strings. This is a common anti-pattern in regex design where the regex engine must explore an exponentially growing number of possible matches before determining that a string does not match.
The fix committed to the minimatch repository addresses this by refactoring the vulnerable regex pattern to avoid backtracking-prone constructs, ensuring linear or polynomial time complexity regardless of input characteristics.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending malicious glob pattern strings to any application that uses the minimatch library for pattern matching operations.
The attack can be performed by constructing input strings that maximize the regex backtracking time. Typically, these strings contain repeated characters or patterns that cause the regex engine to explore numerous matching possibilities. Applications that accept user-supplied glob patterns for file matching, filtering, or routing are particularly vulnerable.
Since no verified code examples are available for this vulnerability, readers are encouraged to review the GitHub Commit A8763F5 for technical implementation details of the fix, and the Grafana Image Renderer Issue #329 for a real-world example of how this vulnerability manifested in production software.
Detection Methods for CVE-2022-3517
Indicators of Compromise
- Unusual CPU spikes or sustained high CPU usage in Node.js application processes
- Application unresponsiveness or timeout errors correlating with user-supplied input processing
- Memory consumption anomalies in processes handling glob pattern matching
- Increased response times for endpoints that accept file path or pattern inputs
Detection Strategies
- Implement application performance monitoring to detect abnormal CPU utilization patterns in Node.js services
- Use dependency scanning tools such as npm audit, Snyk, or Dependabot to identify vulnerable minimatch versions in your dependency tree
- Monitor application logs for request timeout errors that may indicate ReDoS attacks
- Deploy Web Application Firewalls (WAF) with rules to detect and block excessively long or malformed glob pattern inputs
Monitoring Recommendations
- Set up alerts for CPU utilization exceeding baseline thresholds on application servers running Node.js workloads
- Implement request timeout monitoring to identify potential DoS attack patterns
- Regularly audit the software bill of materials (SBOM) for applications to track minimatch version usage across your environment
How to Mitigate CVE-2022-3517
Immediate Actions Required
- Update the minimatch package to a patched version that addresses the ReDoS vulnerability
- Run npm audit or equivalent dependency scanning tools to identify all projects using vulnerable minimatch versions
- Review application code to identify endpoints that accept user-supplied glob patterns and implement input validation
- Consider implementing request timeouts and rate limiting for endpoints that process pattern matching operations
Patch Information
The maintainers of minimatch have released a fix for this vulnerability. The specific commit addressing the issue is available at the minimatch GitHub repository. Users should update to the latest version of minimatch that includes this fix.
For Linux distributions:
- Debian users should refer to the Debian LTS Announcement for package update information
- Fedora users should consult the Fedora package announcements for updated packages
Workarounds
- Implement input validation to reject glob patterns exceeding a reasonable length threshold before passing to minimatch
- Set execution timeouts for pattern matching operations to prevent extended CPU consumption
- Use alternative glob matching libraries that are not affected by this vulnerability as a temporary measure
- Deploy rate limiting on endpoints that accept user-controlled pattern inputs to limit the impact of exploitation attempts
# Update minimatch to latest patched version
npm update minimatch
# Audit project dependencies for vulnerable packages
npm audit
# Fix vulnerabilities automatically where possible
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
