VYPR
← All advisories
High severityNVD Advisory· Published Jun 3, 2021· Updated Sep 16, 2024

Regular Expression Denial of Service (ReDoS)

CVE-2020-28469

Description

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

glob-parent before 5.1.2 contains a regular expression denial of service (ReDoS) vulnerability via a crafted enclosure string.

Vulnerability

The glob-parent package before version 5.1.2 uses a regular expression to check for strings ending in an enclosure containing a path separator. The regex is vulnerable to catastrophic backtracking, leading to ReDoS [1][2].

Exploitation

An attacker can provide a specially crafted string that causes the regex engine to take exponential time to evaluate. No authentication or special privileges are required; the attacker only needs to supply the malicious input to any application using the vulnerable glob-parent version [2].

Impact

Successful exploitation results in a denial of service (DoS) condition, where the application becomes unresponsive or crashes due to excessive CPU consumption [2][3][4].

Mitigation

Upgrade to glob-parent version 5.1.2 or later, which contains a fix for the vulnerable regex [1][2]. No workarounds are available; updating the package is the recommended mitigation.

References
  1. NVD - CVE-2020-28469
  2. Snyk Vulnerability Database | Snyk
  3. Snyk Vulnerability Database | Snyk
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
glob-parentnpm
>= 4.0.0, < 5.1.25.1.2

Affected products

11

Patches

1
4a80667c6935

feat: hoist regexps and strings for performance gains

https://github.com/gulpjs/glob-parentPaul MillerMar 27, 2019via ghsa
commit
1 file changed · +13 7
  • index.js+13 7 modified
    @@ -1,18 +1,24 @@
 'use strict';
 
-var isglob = require('is-glob');
+var isGlob = require('is-glob');
 var pathDirname = require('path-dirname');
 var isWin32 = require('os').platform() === 'win32';
 
+var slash = '/';
+var backslash = /\\/g;
+var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
+var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+var escaped = /\\([\*\?\|\[\]\(\)\{\}])/g;
+
 module.exports = function globParent(str) {
   // flip windows path separators
-  if (isWin32 && str.indexOf('/') < 0) {
-    str = str.split('\\').join('/');
+  if (isWin32 && str.indexOf(slash) < 0) {
+    str = str.replace(backslash, slash);
   }
 
   // special case for strings ending in enclosure containing path separator
-  if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) {
-    str += '/';
+  if (enclosure.test(str)) {
+    str += slash;
   }
 
   // preserves full path in case of trailing path separator
@@ -21,8 +27,8 @@ module.exports = function globParent(str) {
   // remove path parts that are globby
   do {
     str = pathDirname.posix(str);
-  } while (isglob(str) || /(^|[^\\])([\{\[]|\([^\)]+$)/.test(str));
+  } while (isGlob(str) || globby.test(str));
 
   // remove escape chars and return result
-  return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1');
+  return str.replace(escaped, '$1');
 };

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.