CVE-2026-27904 — Regex Denial of Service in Minimatch

CWE-1333 — Regex Denial of Service8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 93.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isaacs Minimatch Minimatch Project Minimatch Debian Node-minimatch

Timeline

PublishedFeb 26

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushe…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5isaacs/minimatch< 3.1.4+7

▶debiandebian/node-minimatch< node-minimatch 9.0.7-1 (sid)

▶NVDminimatch_project/minimatch4.0.0 — 4.2.5+7

▶npmminimatch_project/minimatch10.0.0 — 10.2.3+7

🔴Vulnerability Details

GHSA

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions↗2026-02-26

▶

OSV

CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects↗2026-02-26

▶

OSV

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions↗2026-02-26

▶

📋Vendor Advisories

Red Hat

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions↗2026-02-26

▶

Debian

CVE-2026-27904: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27904 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions↗2026-02-26

▶