VYPR
High severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

CVE-2026-27904

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
minimatchnpm
>= 10.0.0, < 10.2.310.2.3
minimatchnpm
>= 9.0.0, < 9.0.79.0.7
minimatchnpm
>= 8.0.0, < 8.0.68.0.6
minimatchnpm
>= 7.0.0, < 7.4.87.4.8
minimatchnpm
>= 6.0.0, < 6.2.26.2.2
minimatchnpm
>= 5.0.0, < 5.1.85.1.8
minimatchnpm
>= 4.0.0, < 4.2.54.2.5
minimatchnpm
< 3.1.43.1.4

Affected products

110

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.

CVE-2026-27904 · high · VYPR