CVE-2016-10540
Description
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Minimatch before 3.0.2 is vulnerable to ReDoS via crafted glob patterns, allowing denial of service.
Vulnerability
Minimatch, a minimal glob matching utility for Node.js, is vulnerable to a Regular Expression Denial of Service (ReDoS) in the minimatch(path, pattern) function. The issue affects versions 3.0.1 and earlier [1][2]. The vulnerability resides in the pattern parameter, where a crafted glob expression can cause catastrophic backtracking in the regular expression engine [2].
Exploitation
An attacker must be able to supply a malicious glob pattern to the minimatch() function, for example via user-controlled input in a web application. The Proof of Concept provided in the advisory uses a long string of backslashes (\) preceded by [! to trigger a denial of service [2]. No authentication or special privileges are required. The attack is performed by calling minimatch("foo", exploit) where exploit is a carefully constructed string [2].
Impact
Successful exploitation leads to a denial of service (DoS) condition. The Node.js process hangs or becomes unresponsive due to excessive CPU consumption from regex backtracking [1][2]. The impact is limited to availability; there is no disclosure of information or code execution.
Mitigation
Update to minimatch version 3.0.2 or later [2]. The fix was released to address the ReDoS vulnerability. No other workarounds are documented in the available references. Users on unmaintained Node.js versions should also upgrade minimatch as part of a broader update strategy [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
minimatchnpm | < 3.0.2 | 3.0.2 |
Affected products
2- HackerOne/minimatch node modulev5Range: <=3.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hxm2-r34f-qmc5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10540ghsaADVISORY
- nodesecurity.io/advisories/118mitrex_refsource_MISC
- www.npmjs.com/advisories/118ghsaWEB
News mentions
0No linked articles in our index yet.