VYPR
High severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

CVE-2026-26996

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
minimatchnpm
>= 10.0.0, < 10.2.110.2.1
minimatchnpm
>= 9.0.0, < 9.0.69.0.6
minimatchnpm
>= 8.0.0, < 8.0.58.0.5
minimatchnpm
>= 7.0.0, < 7.4.77.4.7
minimatchnpm
>= 6.0.0, < 6.2.16.2.1
minimatchnpm
>= 5.0.0, < 5.1.75.1.7
minimatchnpm
>= 4.0.0, < 4.2.44.2.4
minimatchnpm
< 3.1.33.1.3

Affected products

177

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.