CVE-2026-33671 — Regex Denial of Service in Picomatch

CWE-1333 — Regex Denial of Service12 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 82.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Micromatch Picomatch Jonschlinkert Picomatch Debian Node-anymatch +4 more

Timeline

PublishedMar 26

Description

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5micromatch/picomatch< 2.3.2+2

▶npmmicromatch/picomatch4.0.0 — 4.0.4+2

▶NVDjonschlinkert/picomatch3.0.0 — 3.0.2+2

▶debiandebian/node-anymatch< node-anymatch 3.1.3+~cs8.0.6-1 (forky)

▶msrcmsrc/azl3_nodejs24_24.13.0-3_on_azure_linux_3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33671: Picomatch is a glob matcher written JavaScript↗2026-03-26

▶

OSV

Picomatch has a ReDoS vulnerability via extglob quantifiers↗2026-03-25

▶

GHSA

Picomatch has a ReDoS vulnerability via extglob quantifiers↗2026-03-25

▶

📋Vendor Advisories

Red Hat

picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns↗2026-03-26

▶

Microsoft

Picomatch has a ReDoS vulnerability via extglob quantifiers↗2026-03-10

▶

Debian

CVE-2026-33671: node-anymatch - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33671 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶