Regular Expression Denial of Service (ReDoS) vulnerability in the glob-parent.

[Leha1992]

There is a Regular Expression Denial of Service (ReDoS) vulnerability in the glob-parent dependency.

This is the dependency tree:

• devDependencies (optional): react-scripts>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent
• devDependencies: react-scripts>webpack-dev-server>chokidar>glob-parent

The vulnerability has been fixed in glob-parent version >5.1.2

[sindhurameduri]

I am also facing the same issue, have you managed to get it updated

[ralfnovo]

Any updates on this? I'm getting the same vulnerabilities as well

[BiancaArtola]

Same issue here

Same issue here. Registering as high severity from dependabot

[kpotter-m2]

Same issue for our team, considered moderate severity but causes our npm audits to fail.

  Moderate        Regular expression denial of service                          
                                                                                
  Package         glob-parent                                                   
                                                                                
  Patched in      >=5.1.2                                                       
                                                                                
  Dependency of   react-scripts [dev]                                           
                                                                                
  Path            react-scripts > webpack-dev-server > chokidar > glob-parent   
                                                                                
  More info       https://npmjs.com/advisories/1751      

[nrayburn-tech]

See #11174.

There is not any vulnerable code deployed to production here.

[asitsar1]

Hi,
We received a report of vulnerability in our security testing.
"Regular Expression Denial of Service (ReDoS) glob-parent:
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending
in enclosure containing path separator."

As we expect a version higher than 5.1.2 , when the library will be available?

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

[MEBARKI16]

Hello, I would like to intervene regarding issue #11071 on the ReDoS vulnerability in the glob-parent dependency. After running the npm list glob-parent command in the create-react-app project directory, it appears that all instances of glob-parent are at version 5.1.2 or higher, more precisely 6.0.2 for some of them. between them.
Version 5.1.2 is where the vulnerability was fixed, so it appears that the project is no longer affected by this specific security issue.
I propose that the issue be closed unless there are other actions or checks that you would recommend.
Thank you for your attention and continued work on this project.