CVE-2026-27904
- Source
- https://cve.org/CVERecord?id=CVE-2026-27904
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27904.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-27904
- Aliases
- Downstream
- Related
- Published
- 2026-02-26T01:07:42.693Z
- Modified
- 2026-04-29T04:16:12.839940Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
- Details
-
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested
*()extglobs produce regexps with nested unbounded quantifiers (e.g.(?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern*(*(*(a|b)))and an 18-byte non-matching input,minimatch()stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the defaultminimatch()API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects+()extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27904.json", "cwe_ids": [ "CWE-1333" ], "cna_assigner": "GitHub_M" }- References