CVE-2026-27904
published 2026-02-26CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.47%
37.3th percentile
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-minimatch | < node-minimatch 9.0.7-1 (sid) | node-minimatch 9.0.7-1 (sid) |
| isaacs | minimatch | < 3.1.4 | 3.1.4 |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| isaacs | minimatch | — | — |
| minimatch_project | minimatch | < 3.1.4 | 3.1.4 |
| minimatch_project | minimatch | >= 0 < 3.1.4 | 3.1.4 |
| minimatch_project | minimatch | >= 10.0.0 < 10.2.3 | 10.2.3 |
| minimatch_project | minimatch | >= 10.0.0 < 10.2.3 | 10.2.3 |
| minimatch_project | minimatch | >= 4.0.0 < 4.2.5 | 4.2.5 |
| minimatch_project | minimatch | >= 4.0.0 < 4.2.5 | 4.2.5 |
| minimatch_project | minimatch | >= 5.0.0 < 5.1.8 | 5.1.8 |
| minimatch_project | minimatch | >= 5.0.0 < 5.1.8 | 5.1.8 |
| minimatch_project | minimatch | >= 6.0.0 < 6.2.2 | 6.2.2 |
| minimatch_project | minimatch | >= 6.0.0 < 6.2.2 | 6.2.2 |
| minimatch_project | minimatch | >= 7.0.0 < 7.4.8 | 7.4.8 |
| minimatch_project | minimatch | >= 7.0.0 < 7.4.8 | 7.4.8 |
| minimatch_project | minimatch | >= 8.0.0 < 8.0.6 | 8.0.6 |
| minimatch_project | minimatch | >= 8.0.0 < 8.0.6 | 8.0.6 |
| minimatch_project | minimatch | >= 9.0.0 < 9.0.7 | 9.0.7 |
| minimatch_project | minimatch | >= 9.0.0 < 9.0.7 | 9.0.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
ghsa·2026-02-26
CVE-2026-27904 [HIGH] CWE-1333 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
### Summary
Nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally.
---
### Details
The root cause is in `AST.toRegExpSource()` at [`src/ast.ts#L598`](https://github.com/isaacs/minimatch/blob/v10.2.2/src/ast.ts#L598
OSV
CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects
osv·2026-02-26·CVSS 7.5
CVE-2026-27904 [HIGH] CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the i
OSV
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
osv·2026-02-26
CVE-2026-27904 [HIGH] minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
### Summary
Nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally.
---
### Details
The root cause is in `AST.toRegExpSource()` at [`src/ast.ts#L598`](https://github.com/isaacs/minimatch/blob/v10.2.2/src/ast.ts#L598
Red Hat
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
vendor_redhat·2026-02-26·CVSS 7.5
CVE-2026-27904 [HIGH] CWE-1333 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extgl
Debian
CVE-2026-27904: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav...
vendor_debian·2026·CVSS 7.5
CVE-2026-27904 [HIGH] CVE-2026-27904: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav...
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the i
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
bugzilla·2026-02-26·CVSS 7.5
CVE-2026-27904 [HIGH] CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affe
Wiz
CVE-2026-27904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27904 [HIGH] CVE-2026-27904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27904 :
JavaScript vulnerability analysis and mitigation
*()
(?:(?:a|b)*)*
*(*(*(a|b)))
minimatch()
minimatch()
+()
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
nodejs22
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Mar 02, 2026
Echo Severity HIGH No Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Red H
2026-02-26
Published