PSIRT: Node.js glob-parent module denial of service CVE-2020-28469

[pankaj-kumar34]

Summary:
Node.js glob-parent module denial of service CVE-2020-28469

Details:
globparent-cve202028469-dos (196451) - reported on 2021-01-12 (Format: yyyy-mm-dd)

Node.js glob-parent module is vulnerable to a denial of service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a regular expression denial of service.

Consequences: Denial of Service

Remedy:
No remedy available as of February 2021.

X-Force Record: https://exchange.xforce.ibmcloud.com/vulnerabilities/196451

Attention: If the CVE is excluded from OWASP scanning, make sure to include it back, while remediating corresponding PSIRT. Acknowledge with appropriate comment before closing the PSIRT.

[pankaj-kumar34]

Hi team, we have noticed that @console/pal is using glob-parent as child dependency. Which is vulnerable of Denial of Service. We want to confirm if this vulnerability is applicable or not.

[tay1orjones]

I ran yarn why glob-parent to get a list of what packages are using the glob-parent package and it looks like they all are sub-dependencies of packages listed as devDependencies.

Related: gulpjs/glob-parent#36

[pankaj-kumar34]

Hi @tay1orjones, thank you for the reply. Closing this issue as discussed in this slack channel.