Description
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity impact
Action: Patch Immediately
AI Analysis

Impact

Picomatch, a JavaScript glob matcher, contains a method injection flaw in its POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, an attacker can craft POSIX bracket expressions like [[:constructor:]] that reference inherited method names. These method names are coerced into strings and inserted into the generated regular expression, causing the glob pattern to match unintended filenames. The flaw does not provide remote code execution but leads to integrity‑level logic errors in any application that relies on picomatch for filtering, validation, or access control.

Affected Systems

The vulnerability affects the Picomatch library distributed by micromatch. Versions older than 4.0.4, 3.0.2, and 2.3.2 are impacted. Any Node.js application that imports picomatch and processes user‑controlled glob patterns is potentially exposed.

Risk and Exploitability

The flaw carries a CVSS score of 5.3 and an EPSS probability of less than 1%, indicating a moderate severity but low likelihood of exploitation. It is not listed in the CISA KEV catalog. Abuse requires only that an attacker supply a crafted glob pattern to the vulnerable library, which can happen through publicly exposed APIs or file‑system interfaces. While the attack surface is relatively narrow, the integrity consequences could allow an attacker to bypass file‑level restrictions or gain unexpected access within the application.

Generated by OpenCVE AI on April 2, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picomatch to version 4.0.4, 3.0.2, 2.3.2 or later.
  • If an upgrade is not immediately possible, avoid passing any untrusted glob patterns to picomatch.
  • Sanitize or reject glob patterns that contain POSIX character classes such as [[:...:]] when user input is involved.
  • Manually patch the library by setting POSIX_REGEX_SOURCE to use a null prototype to eliminate prototype chain access.

Generated by OpenCVE AI on April 2, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Jonschlinkert
Jonschlinkert picomatch
CPEs cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:*
Vendors & Products Jonschlinkert
Jonschlinkert picomatch

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-624
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Micromatch
Micromatch picomatch
Vendors & Products Micromatch
Micromatch picomatch

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.
Title Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Jonschlinkert Picomatch
Micromatch Picomatch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:58:41.846Z

Reserved: 2026-03-23T16:34:59.930Z

Link: CVE-2026-33672

cve-icon Vulnrichment

Updated: 2026-03-27T13:31:42.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:30.387

Modified: 2026-04-01T13:44:53.397

Link: CVE-2026-33672

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T21:39:16Z

Links: CVE-2026-33672 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:14Z

Weaknesses