CVE-2026-27904

Summary

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Affected Software

VendorProductVersion RangeStatus
isaacsminimatch>= 10.0.0, < 10.2.3affected
isaacsminimatch>= 9.0.0, < 9.0.7affected
isaacsminimatch>= 8.0.0, < 8.0.6affected
isaacsminimatch>= 7.0.0, < 7.4.8affected
isaacsminimatch>= 6.0.0, < 6.2.2affected
isaacsminimatch>= 5.0.0, < 5.1.8affected
isaacsminimatch>= 4.0.0, < 4.2.5affected
isaacsminimatch< 3.1.4affected

Weaknesses

  • CWE-1333: CWE-1333: Inefficient Regular Expression Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References