Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unbounded backtracking of minimatch's matchOne function
Action: Apply Patch
AI Analysis

Impact

minimatch is a glob matching library that converts glob expressions into JavaScript RegExp objects. In versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, the internal matchOne function performs unbounded recursive backtracking when a glob pattern contains multiple non‑adjacent GLOBSTAR () segments and the input path does not match. The time complexity grows combinatorially with the number of pattern segments, so a crafted pattern with 11 GLOBSTAR segments and a 30‑segment path can stall the default minimatch() call for five seconds, and 13 GLOBSTAR segments can exceed fifteen seconds. Because no memoization or time limit is applied, an attacker who controls the glob pattern can cause a denial‑of‑service by stalling the Node.js event loop for tens of seconds per invocation.

Affected Systems

Any Node.js application that depends on minimatch 10.2.3 or older is vulnerable. The affected package is minimatch provided by isaacs. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 are known to contain the flaw. The vulnerability manifests when the application passes user‑controlled glob patterns to minimatch—common in build tools such as ESLint, Webpack, or Rollup, in task runners, multi‑tenant services that run shared processes, administrative interfaces that accept ignore rules, and CI/CD pipelines that evaluate user‑supplied configuration files.

Risk and Exploitability

CVSS base score 7.5 indicates high severity, but EPSS is below 1 % and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying that widespread exploitation has not yet been observed. Nevertheless, the attack surface is realistic: any environment where a user can supply a glob pattern without authentication can trigger a denial‑of‑service. The lack of a time or recursion budget means the explosion grows rapidly with pattern complexity; a 56‑byte pattern can stall the event loop for five seconds. Attackers can therefore degrade service availability or force throttling in shared or multi‑tenant Node.js deployments.

Generated by OpenCVE AI on April 17, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade minimatch to version 10.2.3 or newer.
  • Validate or sanitize user‑supplied glob patterns before passing them to minimatch; reject patterns that contain more than a modest number of GLOBSTAR segments.
  • In multi‑tenant or shared‑process contexts isolate glob processing in a separate process or thread, or use an alternative library that guarantees bounded matching complexity.

Generated by OpenCVE AI on April 17, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1333
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Minimatch Project
Minimatch Project minimatch
CPEs cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:*
Vendors & Products Minimatch Project
Minimatch Project minimatch

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs minimatch
Vendors & Products Isaacs
Isaacs minimatch

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Title minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isaacs Minimatch
Minimatch Project Minimatch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:20:51.517Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27903

cve-icon Vulnrichment

Updated: 2026-02-26T19:20:47.070Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:21.353

Modified: 2026-02-27T17:21:22.370

Link: CVE-2026-27903

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T01:06:32Z

Links: CVE-2026-27903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses