How to Stop a ReDoS Attack in Cockpit-Tukit (Even If You Can’t Patch Right Now)

 

ReDoS in cockpit-tukit? Detection commands for Ubuntu/Rocky/SUSE, an automation script, iptables mitigation, and a Docker lab to test the fix yourself.

You don’t need another panic-read about a specific CVE.

You need a repeatable way to find, fix, or block this class of vulnerability – on any Linux distro, today and next year.

On April 10, 2026, SUSE released an update for cockpit-tukit (CVE-2026-25547, CVE-2026-26996).

But the real story isn’t the date. It’s that unbounded brace expansion + ReDoS (Regular Expression Denial of Service) keeps appearing in Node.js tooling.

• This guide stays useful because:

• The same flawed patterns exist in older versions of brace-expansion and minimatch.

You can apply the same detection and protection to any Linux server running a Node.js backend.

What actually happens?

A remote attacker sends a short, maliciously crafted string (e.g., {a..z}{a..z}{a..z} or ***************x). Your server’s CPU spikes to 100%, memory fills, and the Node.js process crashes. No code execution, no data theft – just a cheap, effective denial of service.

How to check if you are vulnerable (Ubuntu, Rocky, SUSE)

Run these commands as root or with sudo.

On Ubuntu / Debian

bash

# Check if cockpit-tukit or its dependencies are installed
dpkg -l | grep -E "cockpit-tukit|node-brace-expansion|node-minimatch"

# Manual test for vulnerable pattern (Node.js required)
node -e "const {expand} = require('brace-expansion'); console.log(expand('{0..1000000}'));"
# If the command hangs or crashes → vulnerable

On Rocky Linux / RHEL / AlmaLinux

bash

# Check installed packages
rpm -qa | grep -E "cockpit-tukit|nodejs-brace-expansion|nodejs-minimatch"

# Test the ReDoS condition
node -e "const mm = require('minimatch'); mm('x', '*******************************x');"
# If it takes >1 second → vulnerable

On SUSE Linux Enterprise / openSUSE

bash

# Verify package version (vulnerable: <0.0.3~git14.ff11a9a)
zypper info cockpit-tukit | grep Version

# Same Node.js test as above
node -e "const {expand} = require('brace-expansion'); expand('{1..1000000}');"

Automation script to apply the fix (bash, major distros)

Save as fix-redos.sh and run on any affected server.

bash

#!/bin/bash
# Universal ReDoS mitigator for cockpit-tukit / brace-expansion / minimatch
set -e

OS_ID=$(grep ^ID= /etc/os-release | cut -d= -f2 | tr -d '"')

case $OS_ID in
  ubuntu|debian)
    apt update
    apt upgrade -y cockpit-tukit node-brace-expansion node-minimatch
    ;;
  rhel|centos|rocky|almalinux)
    dnf update -y cockpit-tukit nodejs-brace-expansion nodejs-minimatch
    ;;
  suse|opensuse-leap|opensuse-tumbleweed)
    zypper refresh
    zypper update -y cockpit-tukit
    ;;
  *)
    echo "Unsupported OS. Please update node modules manually."
    exit 1
    ;;
esac

# Restart affected service (example for cockpit)
systemctl restart cockpit

echo "ReDoS patches applied. Re-test with the node commands above."

Alternative mitigation if you can't update now

1. iptables rate-limit (stops mass exploitation)

bash

# Limit connections to port 9090 (Cockpit default)
iptables -A INPUT -p tcp --dport 9090 -m connlimit --connlimit-above 10 -j DROP
iptables -A INPUT -p tcp --dport 9090 -m limit --limit 25/min -j ACCEPT

2. AppArmor profile to restrict CPU/memory

Create /etc/apparmor.d/usr.sbin.cockpitd:

text

/usr/sbin/cockpitd {
  # ... existing rules ...
  set rlimit cpu <= 30,
  set rlimit as <= 1G,
}

Then apparmor_parser -r /etc/apparmor.d/usr.sbin.cockpitd

3. Reverse proxy (nginx) with request filtering

nginx

location / {
  # Block suspicious brace patterns
  if ($request_uri ~* "\{[0-9]+\.\.[0-9]+\}") {
    return 403;
  }
  proxy_pass http://127.0.0.1:9090;
}

Hands-on Lab: Reproduce the vulnerability in a safe Docker container

Goal: See the CPU spike yourself – without touching production.

bash

# 1. Create vulnerable environment
docker run -it --name redos-lab node:14-alpine sh

# 2. Inside container, install vulnerable versions
apk add npm
npm install brace-expansion@1.1.11 minimatch@3.0.4

# 3. Trigger brace-expansion crash
node -e "const expand = require('brace-expansion'); expand('{a..z}{a..z}{a..z}{a..z}');"
# Watch CPU go to 100% (use 'top' in another terminal)

# 4. Test ReDoS on minimatch
node -e "const mm = require('minimatch'); mm('x', '********************************x');"
# Takes minutes instead of milliseconds

# 5. Apply fix (update inside container)
npm install brace-expansion@2.0.1 minimatch@5.1.0
# Re-run step 3 and 4 – now finishes instantly

Suggested reading :

Book: Node.js Security: Breaking the Loop by Liran Tal 

Why this book?

It dedicates an entire chapter to ReDoS and catastrophic backtracking – with real npm package examples, not just theory. It teaches you to audit package-lock.json for known vulnerable patterns, which prevents this exact class of bug across your entire Node.js estate.

What’s next?

You now have:

• A test lab for ReDoS

• Cross-distro detection commands

• A working fix script

• Fallback mitigations

Don’t wait for the next CVE. Build this into your monthly server checklist.