minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
minimatchnpm | >= 10.0.0, < 10.2.3 | 10.2.3 |
minimatchnpm | >= 9.0.0, < 9.0.7 | 9.0.7 |
minimatchnpm | >= 8.0.0, < 8.0.6 | 8.0.6 |
minimatchnpm | >= 7.0.0, < 7.4.8 | 7.4.8 |
minimatchnpm | >= 6.0.0, < 6.2.2 | 6.2.2 |
minimatchnpm | >= 5.0.0, < 5.1.8 | 5.1.8 |
minimatchnpm | >= 4.0.0, < 4.2.5 | 4.2.5 |
minimatchnpm | < 3.1.4 | 3.1.4 |
Affected products
110- osv-coords109 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/arangodb-3.11pkg:apk/chainguard/arangodb-3.12pkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/argo-workflows-ui-4.0pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/code-serverpkg:apk/chainguard/drupal-11.3pkg:apk/chainguard/emscriptenpkg:apk/chainguard/eslintpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-nas-enaspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/katib-tfevent-metricscollectorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/lernapkg:apk/chainguard/librechatpkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-reportingpkg:apk/chainguard/opentelemetry-auto-instrumentations-nodepkg:apk/chainguard/pnpm-stage0pkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/semaphorepkg:apk/chainguard/servepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/ts-patchpkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/argo-workflows-ui-4.0pkg:apk/wolfi/code-serverpkg:apk/wolfi/eslintpkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-nas-enaspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/katib-tfevent-metricscollectorpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/opensearch-dashboards-3-dashboards-reportingpkg:apk/wolfi/pnpm-stage0pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/servepkg:apk/wolfi/tileserver-glpkg:apk/wolfi/ts-patchpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/minimatchpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-npmpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-12.4-develpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Micro%205.5
< 2.332.0-r1+ 108 more
- (no CPE)range: < 2.332.0-r1
- (no CPE)range: < 3.11.14.3-r2
- (no CPE)range: < 3.12.7.2-r3
- (no CPE)range: < 3.6.19-r6
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 2026.2.4-r9
- (no CPE)range: < 2026.2.4-r8
- (no CPE)range: < 4.109.2-r0
- (no CPE)range: < 11.3.13-r1
- (no CPE)range: < 5.0.2-r1
- (no CPE)range: < 10.0.2-r1
- (no CPE)range: < 25.0.2-r4
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 8.19.12-r2
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.2.5-r5
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 9.3.0-r2
- (no CPE)range: < 1.10.0-r13
- (no CPE)range: < 2.95.12-r12
- (no CPE)range: < 9.0.5-r1
- (no CPE)range: < 0.8.2-r6
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.11.0-r1
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r9
- (no CPE)range: < 3.5.0-r9
- (no CPE)range: < 0.70.1-r1
- (no CPE)range: < 8.7.4-r5
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 3.224.0-r1
- (no CPE)range: < 43.49.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 2.18.12-r2
- (no CPE)range: < 14.2.6-r0
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: < 5.5.0-r7
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.4-r4
- (no CPE)range: < 23.0.3-r5
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 4.109.2-r0
- (no CPE)range: < 10.0.2-r1
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 0.19.0-r23
- (no CPE)range: < 1.10.0-r13
- (no CPE)range: < 9.0.5-r1
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.11.0-r1
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 3.5.0-r6
- (no CPE)range: < 8.7.4-r5
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 3.224.0-r1
- (no CPE)range: < 43.49.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 14.2.6-r0
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.4-r4
- (no CPE)range: < 23.0.3-r5
- (no CPE)range: >= 10.0.0, < 10.2.3
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3.0.1-1.module_el8.10.0+4006+3c416519
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.el10_1
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
- (no CPE)range: < 298-150500.3.12.1
- isaacs/minimatchv5Range: >= 10.0.0, < 10.2.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-23c5-xmqv-rm74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27904ghsaADVISORY
- github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fceghsaWEB
- github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.