CVE-2026-27904

About vulnerability

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Affected product:

@bazel/concatjs , @bazel/typescript , @microsoft/api-extractor , @rollup/plugin-commonjs , Acorn , AlmaLinux 9.2 ESU , Angular , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Next.js , Node.js , Protocol Buffers , React , TuxCare 9.6 ESU , archiver-utils , astro , autodll-webpack-plugin , aws-crt-nodejs , aws-sdk-js-v3 , b4a , babel , babel-jest , babel-loader , babel-plugin-codegen , babel-plugin-istanbul , babel-plugin-module-resolver , babel-preset-expo , bare-fs , bare-stream , bin-links , bottom-tabs , cacache , cache-loader , cacheable , chromium-edge-launcher , clang-format , cli , cli-clean , components , config-array , copy-concurrently , credential-provider-cognito-identity , credential-provider-login , db0 , del , dev-middleware , devtools , drawer , drizzle-orm , eslint , eslint-import-resolver-typescript , eslint-plugin-import , eslint-plugin-jsx-a11y , eslint-plugin-react , eslint-plugin-vue , eslintrc , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , file-loader , firefox-profile , friendly-errors-webpack-plugin , fs-extra , fs-vacuum , fstream , gaze , gentle-fs , gh-pages , glob , globby , grunt , grunt-karma , hard-source-webpack-plugin , help-me , ignore-walk , init-package-json , jasmine-npm , jest , jest-circus , jest-preset , jest-runtime , jest-transform , jpm , jscodeshift , karma , karma-jasmine , karma-junit-reporter , karma-requirejs , libcipm , libnpm , libnpmhook , libnpmorg , libnpmteam , lock-verify , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , make-fetch-happen , masked-view , maximatch , metro , metro-runtime , minimatch , mongodb , mongodb-client-encryption , mongoose , mongoose-legacy-pluralize , move-concurrently , move-file , mqtt.js , multimatch , native-stack , ng-packagr , nitro , npm , npm-lifecycle , npm-packlist , npm-profile , npm-registry-fetch , npx , nuxt , offline-plugin , op-sqlite , optimize-css-assets-webpack-plugin , pacote , pdfjs-dist , platform-ios , postcss-functions , postcss-url , progress-bar-webpack-plugin , protractor , puppeteer , purgecss , read-installed , read-package-json , read-package-tree , recursive-copy , recursive-readdir , remix , rewrite , rimraf , rnx-kit , sass-graph , sass-loader , selenium-webdriver , sharp , shelljs , sort-package-json , storybook , streamx , strong-error-handler , strong-globalize , strong-remoting , style-resources-loader , stylus , tailwindcss , tar , tar-fs , tar-stream , teex , tempy , terser-webpack-plugin , test-exclude , text-decoder , tmp , token-providers , true-case-path , tslint , typescript-eslint , uglifyjs-webpack-plugin , unstorage , vector-icons , vercel , vetur , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector , vscode-languageserver-node , vti , webdriver-js-extender , webdriver-manager , webpack , webpack-dev-middleware , webpack-dev-server , webpack-subresource-integrity , webpackbar , yamljs

Affected packages:

tmp @ 0.2.1 (+971 more)

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.