minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
minimatchnpm | >= 10.0.0, < 10.2.1 | 10.2.1 |
minimatchnpm | >= 9.0.0, < 9.0.6 | 9.0.6 |
minimatchnpm | >= 8.0.0, < 8.0.5 | 8.0.5 |
minimatchnpm | >= 7.0.0, < 7.4.7 | 7.4.7 |
minimatchnpm | >= 6.0.0, < 6.2.1 | 6.2.1 |
minimatchnpm | >= 5.0.0, < 5.1.7 | 5.1.7 |
minimatchnpm | >= 4.0.0, < 4.2.4 | 4.2.4 |
minimatchnpm | < 3.1.3 | 3.1.3 |
Affected products
177- osv-coords176 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/arangodb-3.11pkg:apk/chainguard/arangodb-3.12pkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/argo-workflows-ui-4.0pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/code-serverpkg:apk/chainguard/drupal-11.3pkg:apk/chainguard/emscriptenpkg:apk/chainguard/eslintpkg:apk/chainguard/foxx-clipkg:apk/chainguard/gemini-clipkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-nas-enaspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/katib-tfevent-metricscollectorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/lernapkg:apk/chainguard/librechatpkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-reportingpkg:apk/chainguard/opentelemetry-auto-instrumentations-nodepkg:apk/chainguard/pelias-apipkg:apk/chainguard/pnpm-stage0pkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/py3.10-jupyterlabpkg:apk/chainguard/py3.11-jupyterlabpkg:apk/chainguard/py3.12-jupyterlabpkg:apk/chainguard/py3.13-jupyterlabpkg:apk/chainguard/rancher-api-uipkg:apk/chainguard/redisinsightpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/semaphorepkg:apk/chainguard/servepkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/ts-patchpkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboard-pluginspkg:apk/chainguard/wazuh-dashboard-plugins-fipspkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/argo-workflows-ui-4.0pkg:apk/wolfi/code-serverpkg:apk/wolfi/eslintpkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-nas-enaspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/katib-tfevent-metricscollectorpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/opensearch-dashboards-3-dashboards-reportingpkg:apk/wolfi/pnpm-stage0pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/py3.10-jupyterlabpkg:apk/wolfi/py3.11-jupyterlabpkg:apk/wolfi/py3.12-jupyterlabpkg:apk/wolfi/py3.13-jupyterlabpkg:apk/wolfi/rancher-api-uipkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/servepkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:apk/wolfi/ts-patchpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/minimatchpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs24pkg:rpm/almalinux/nodejs24-develpkg:rpm/almalinux/nodejs24-docspkg:rpm/almalinux/nodejs24-full-i18npkg:rpm/almalinux/nodejs24-libspkg:rpm/almalinux/nodejs24-npmpkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-npmpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-12.4-develpkg:rpm/almalinux/v8-13.6-develpkg:rpm/opensuse/cockpit&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/cockpit-machines&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/cockpit-packages&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/cockpit-podman&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/cockpit-repos&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/cockpit-subscriptions&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/cockpit-machines&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/cockpit-packages&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit-packages&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit-podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/cockpit-podman&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit-podman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit-podman&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/cockpit-podman&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/cockpit-repos&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit-repos&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit-repos&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/cockpit-subscriptions&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/cockpit-subscriptions&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/cockpit-subscriptions&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/cockpit-tukit&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/cockpit-tukit&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.0
< 2.332.0-r0+ 175 more
- (no CPE)range: < 2.332.0-r0
- (no CPE)range: < 3.11.14.3-r1
- (no CPE)range: < 3.12.7.2-r2
- (no CPE)range: < 3.6.19-r5
- (no CPE)range: < 3.7.13-r0
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 2026.2.4-r9
- (no CPE)range: < 2026.2.4-r8
- (no CPE)range: < 4.106.3-r5
- (no CPE)range: < 11.3.13-r1
- (no CPE)range: < 5.0.1-r2
- (no CPE)range: < 10.0.1-r0
- (no CPE)range: < 2.1.1-r4
- (no CPE)range: < 0.30.0-r0
- (no CPE)range: < 25.0.2-r3
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 1.10.0-r12
- (no CPE)range: < 2.16.0-r0
- (no CPE)range: < 2.95.12-r11
- (no CPE)range: < 3.155.1-r2
- (no CPE)range: < 3.155.1-r2
- (no CPE)range: < 2.95.12-r13
- (no CPE)range: < 3.155.1-r1
- (no CPE)range: < 3.155.1-r1
- (no CPE)range: < 9.0.4-r3
- (no CPE)range: < 0.8.2-r5
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.10.1-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r9
- (no CPE)range: < 3.5.0-r9
- (no CPE)range: < 0.70.0-r1
- (no CPE)range: < 7.6.0-r3
- (no CPE)range: < 8.7.4-r5
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 3.223.0-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 1.2.3-r5
- (no CPE)range: < 3.0.3-r1
- (no CPE)range: < 43.38.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 2.18.12-r2
- (no CPE)range: < 14.2.6-r0
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.3-r2
- (no CPE)range: < 23.0.2-r1
- (no CPE)range: < 4.14.6-r1
- (no CPE)range: < 4.14.5-r11
- (no CPE)range: < 3.7.13-r0
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 4.106.3-r5
- (no CPE)range: < 10.0.1-r0
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 1.10.0-r12
- (no CPE)range: < 2.16.0-r0
- (no CPE)range: < 3.155.1-r2
- (no CPE)range: < 3.155.1-r2
- (no CPE)range: < 9.0.4-r3
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.10.1-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 8.7.4-r5
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 3.223.0-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 4.6.1-r1
- (no CPE)range: < 1.2.3-r5
- (no CPE)range: < 43.38.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 14.2.6-r0
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.3-r2
- (no CPE)range: < 23.0.2-r1
- (no CPE)range: >= 10.0.0, < 10.2.1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3.0.1-1.module_el8.10.0+4006+3c416519
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.el10_1
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 354-160000.2.1
- (no CPE)range: < 346-160000.2.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 117-160000.2.1
- (no CPE)range: < 4.7-160000.2.1
- (no CPE)range: < 12.1-160000.3.1
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
- (no CPE)range: < 251.3-150300.6.9.1
- (no CPE)range: < 354-160000.2.1
- (no CPE)range: < 354-160000.2.1
- (no CPE)range: < 322-slfo.1.1_3.1
- (no CPE)range: < 354-160000.2.1
- (no CPE)range: < 249.1-150300.5.6.1
- (no CPE)range: < 346-160000.2.1
- (no CPE)range: < 346-160000.2.1
- (no CPE)range: < 305-4.1
- (no CPE)range: < 316-slfo.1.1_3.1
- (no CPE)range: < 346-160000.2.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 33-150300.6.9.1
- (no CPE)range: < 117-160000.2.1
- (no CPE)range: < 117-160000.2.1
- (no CPE)range: < 91-slfo.1.1_4.1
- (no CPE)range: < 117-160000.2.1
- (no CPE)range: < 4.7-160000.2.1
- (no CPE)range: < 4.7-160000.2.1
- (no CPE)range: < 4.7-160000.2.1
- (no CPE)range: < 12.1-160000.3.1
- (no CPE)range: < 12.1-160000.3.1
- (no CPE)range: < 12.1-160000.3.1
- (no CPE)range: < 0.0.3~git14.ff11a9a-150300.1.9.1
- (no CPE)range: < 0.1.2~git0.647b3e3-2.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- isaacs/minimatchv5Range: < 10.2.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3ppc-4f35-3m26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26996ghsaADVISORY
- github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5ghsax_refsource_MISCWEB
- github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.