Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

INFO

Published Date :

2026-02-26T01:07:42.693Z

Last Modified :

2026-02-26T19:21:39.006Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27904 vulnerability.

Vendors Products
Isaacs
  • Minimatch
Minimatch Project
  • Minimatch
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27904.

URL Resource
https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27904 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27904 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact