|
Vulnerabilities
< Back

CVE-2026-27904

Updated on 26 Feb 2026

Severity

7.5 High severity

Details

CVSS score
7.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Details

Affected product:
@bazel/typescript , @microsoft/api-extractor , @rollup/plugin-commonjs , Acorn , AlmaLinux 9.2 ESU , Next.js , Node.js , Protocol Buffers , React , TuxCare 9.6 ESU , archiver-utils , autodll-webpack-plugin , babel , babel-plugin-module-resolver , cacache , clang-format , cli , copy-concurrently , del , eslint-import-resolver-typescript , eslint-plugin-import , eslint-plugin-jsx-a11y , eslint-plugin-react , firefox-profile , fs-extra , fstream , glob , globby , jasmine-npm , jpm , karma , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , maximatch , minimatch , move-concurrently , move-file , multimatch , pdfjs-dist , postcss-functions , protractor , purgecss , recursive-copy , recursive-readdir , remix , rimraf , selenium-webdriver , shelljs , sort-package-json , strong-error-handler , strong-globalize , strong-remoting , tailwindcss , tar , terser-webpack-plugin , tmp , uglifyjs-webpack-plugin , webdriver-js-extender , webdriver-manager , webpack , webpack-dev-server , yamljs
Affected packages:
icu @ 67.1 (+254 more)
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Fixes