VYPR
← All advisories
High severityNVD Advisory· Published Dec 26, 2022· Updated Apr 14, 2025

CVE-2021-35065

CVE-2021-35065

Description

The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

glob-parent before 6.0.1 is vulnerable to ReDoS via crafted input that causes catastrophic backtracking.

Vulnerability

Overview

The glob-parent package before version 6.0.1 contains a regular expression denial of service (ReDoS) vulnerability. The enclosure regular expression used for parsing glob patterns can exhibit catastrophic backtracking when processing specially crafted inputs, leading to excessive CPU consumption [2][4].

Exploitation

An attacker can trigger the vulnerability by providing a malicious string, such as a sequence of repeated forward slashes, to any function that uses glob-parent. No authentication or special network position is required; the input can be supplied via user-controlled filenames or paths in Node.js applications [1]. Performance tests demonstrate that processing such inputs results in quadratic runtime (O(n²)), causing significant delays [1].

Impact

Successful exploitation leads to a denial of service (DoS) condition, where the application becomes unresponsive due to CPU exhaustion. This can affect server-side applications that parse user-provided glob patterns without proper input validation [4].

Mitigation

The vulnerability is fixed in glob-parent version 6.0.1 and later [3]. Users should upgrade to the patched version immediately. There are no known workarounds, as the fix modifies the underlying regular expression to prevent catastrophic backtracking [1].

References
  1. fix: Fix ReDoS vulnerability CVE-2021-35065 by sttk · Pull Request #49 · gulpjs/glob-parent
  2. NVD - CVE-2021-35065
  3. Release glob-parent v6.0.1 · gulpjs/glob-parent
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
glob-parentnpm
>= 6.0.0, < 6.0.16.0.1

Affected products

10

Patches

2
3e9f04a3b434

fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49)

https://github.com/gulpjs/glob-parentTakayuki SatoJul 20, 2021via ghsa
commit
2 files changed · +43 2
  • index.js+25 2 modified
    @@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
 
@@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
   }
 
   // special case for strings ending in enclosure containing path separator
-  if (enclosure.test(str)) {
+  if (isEnclosure(str)) {
     str += slash;
   }
 
@@ -39,3 +38,27 @@ module.exports = function globParent(str, opts) {
   // remove escape chars and return result
   return str.replace(escaped, '$1');
 };
+
+
+function isEnclosure(str) {
+  var lastChar = str.slice(-1)
+
+  var enclosureStart;
+  switch (lastChar) {
+    case '}':
+      enclosureStart = '{';
+      break;
+    case ']':
+      enclosureStart = '[';
+      break;
+    default:
+      return false;
+  }
+
+  var foundIndex = str.indexOf(enclosureStart);
+  if (foundIndex < 0) {
+    return false;
+  }
+
+  return str.slice(foundIndex + 1, -1).includes(slash);
+}
  • test/index.test.js+18 0 modified
    @@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {
 
     done();
   });
+
+  it('should finish in reasonable time for \'{\' + \'/\'.repeat(n) [CVE-2021-35065]', function(done) {
+    this.timeout(1000);
+    gp('{' + '/'.repeat(500000));
+    done();
+  });
+
+  it('should finish in reasonable time for \'{\'.repeat(n)', function(done) {
+    this.timeout(1000);
+    gp('{'.repeat(500000));
+    done();
+  });
+
+  it('should finish in reasonable time for \'(\'.repeat(n)', function(done) {
+    this.timeout(1000);
+    gp('('.repeat(500000));
+    done();
+  });
 });
 
 if (isWin32) {
32f6d52663b7

fix!: Correct mishandled escaped path separators (#34)

https://github.com/gulpjs/glob-parentRich TrottMay 3, 2021via ghsa
commit
2 files changed · +5 5
  • index.js+1 1 modified
    @@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*[}\]]$/;
+var enclosure = /[{[].*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
  • test/index.test.js+4 4 modified
    @@ -77,10 +77,10 @@ describe('glob-parent', function () {
       'path/[foo bar]/subdir'
     );
     expect(gp('path/\\[bar]/')).toEqual('path/[bar]');
-    expect(gp('path/\\[bar]')).toEqual('path/[bar]');
+    expect(gp('path/\\[bar]')).toEqual('path');
     expect(gp('[bar]')).toEqual('.');
     expect(gp('[bar]/')).toEqual('.');
-    expect(gp('./\\[bar]')).toEqual('./[bar]');
+    expect(gp('./\\[bar]')).toEqual('.');
     expect(gp('\\[bar]/')).toEqual('[bar]');
     expect(gp('\\!dir/*')).toEqual('!dir');
     expect(gp('[bar\\]/')).toEqual('.');
@@ -95,9 +95,9 @@ describe('glob-parent', function () {
       expect(gp('foo-\\(bar\\).md')).toEqual('foo-');
     } else {
       expect(gp('foo-\\(bar\\).md')).toEqual('.');
-      expect(gp('\\[bar]')).toEqual('[bar]');
+      expect(gp('\\[bar]')).toEqual('.');
       expect(gp('[bar\\]')).toEqual('.');
-      expect(gp('\\{foo,bar\\}')).toEqual('{foo,bar}');
+      expect(gp('\\{foo,bar\\}')).toEqual('.');
       expect(gp('{foo,bar\\}')).toEqual('.');
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.