Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Regular Expression Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when the minimatch library builds regular expressions from glob patterns that contain nested *() or +() extglobs. These nested unbounded quantifiers create patterns like (?:(?:a|b)*)* that cause catastrophic backtracking in the V8 JavaScript engine. Even a short 12‑byte pattern can stall the engine for several seconds, and adding a single nesting level or a few input characters can increase the time to minutes. The result is a denial of service that can halt applications or services that use minimatch without additional safeguards. The weakness is classified as CWE‑1333, indicating a regular expression denial of service.

Affected Systems

The problem affects the isaacs: minimatch package for Node.js versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4. Any application that depends on these versions, or loads minimatch via its default API with no special options, is susceptible. The issue is not limited to any particular platform but applies wherever the vulnerable library version is imported in a Node.js environment.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is medium‑high severity. The EPSS score is less than 1 %, indicating that while exploitation is technically possible, it remains low probability under normal circumstances. The vulnerability is not listed in CISA’s KEV catalog, yet the attack vector is straightforward and requires only a crafted glob pattern, which an attacker can supply through any input that eventually flows to minimatch(). Because the default API is vulnerable, legitimate users must guard against malicious patterns or update the library.

Generated by OpenCVE AI on April 17, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your project’s minimatch dependency to at least version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4, which includes the fix for nested extglob backtracking.
  • If an upgrade is not immediately feasible, avoid using nested *() or +() extglobs in glob patterns; validate or sanitize patterns before passing them to minimatch(), rejecting or flattening any pattern that contains nested extglob syntax or limits pattern length to less than 12 bytes.
  • If neither upgrade nor sanitization is possible, monitor application performance for prolonged hangs or unusually high CPU consumption, and consider temporarily disabling features that consume user‑supplied glob patterns until a patch can be applied.

Generated by OpenCVE AI on April 17, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Minimatch Project
Minimatch Project minimatch
CPEs cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:*
Vendors & Products Minimatch Project
Minimatch Project minimatch

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs minimatch
Vendors & Products Isaacs
Isaacs minimatch

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Title minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isaacs Minimatch
Minimatch Project Minimatch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:21:39.006Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27904

cve-icon Vulnrichment

Updated: 2026-02-26T19:21:29.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:21.760

Modified: 2026-02-27T17:16:23.773

Link: CVE-2026-27904

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-26T01:07:42Z

Links: CVE-2026-27904 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses