CVE-2024-31207: Picomatch Matchbase Directory Bypass
Using `picomatch` with `matchBase: true` fails to correctly match glob patterns that contain directory separators due to an upstream issue limit. When used in security controls such as file-denial lists, this causes authorization bypasses. To mitigate, set `matchBase: false`, manually format patterns by prepending `**/` if they lack a slash, and set `dot: tr
JSgreprules fetch cve-2024-31207-picomatch-matchbase-directory-bypass --engine opengrepDescription
Using `picomatch` with `matchBase: true` fails to correctly match glob patterns that contain directory separators due to an upstream issue limit. When used in security controls such as file-denial lists, this causes authorization bypasses. To mitigate, set `matchBase: false`, manually format patterns by prepending `**/` if they lack a slash, and set `dot: tr
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0