Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Published: 2026-02-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive regex backtracking (Regular Expression Denial of Service)
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the minimatch library’s handling of glob patterns that include many consecutive asterisks followed by a literal character absent from the target string. Each asterisk expands to its own [^/]*? regex group, and when the match ultimately fails, V8’s regex engine performs exponential backtracking with a time complexity of O(4^N). This can bring an application into a denial‑of‑service state, with N=15 taking around two seconds and N=34 effectively hanging indefinitely. The weakness is a Regular Expression Denial of Service, identified as CWE‑1333.

Affected Systems

Products affected are versions 10.2.0 and earlier of minimatch, the minimal matching utility used in Node.js projects. Any application that receives user‑controlled strings and passes them directly to minimatch() as the pattern argument is vulnerable. The library is maintained by the isaacs team.

Risk and Exploitability

The CVSS score of 8.7 classifies the vulnerability as high severity. The EPSS score is under 1%, indicating a low probability of exploitation in the wild, and it is not currently listed in the KEV catalog. The most likely attack vector is a malicious user supplying an intentionally crafted glob pattern to a vulnerable application. Exploitation requires no special privileges and could be performed as part of normal usage of the library.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade minimatch to version 10.2.1 or later to eliminate the backtracking flaw
  • Validate or sanitize any glob pattern supplied by users before passing it to minimatch(), ensuring it does not contain excessive wildcards or disallowed characters
  • If an immediate upgrade is not feasible, restrict pattern complexity server‑side, for example by rejecting patterns with more than a predefined threshold of consecutive wildcards or by using a whitelist of allowed pattern constructs

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Minimatch Project
Minimatch Project minimatch
CPEs cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:*
Vendors & Products Minimatch Project
Minimatch Project minimatch
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs minimatch
Vendors & Products Isaacs
Isaacs minimatch

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Title minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Isaacs Minimatch
Minimatch Project Minimatch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:34:15.151Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26996

cve-icon Vulnrichment

Updated: 2026-02-20T15:31:37.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:16:01.620

Modified: 2026-03-06T21:32:10.650

Link: CVE-2026-26996

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T03:05:21Z

Links: CVE-2026-26996 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses