CVE-2026-33672 — Prototype Pollution in Picomatch

CWE-1321 — Prototype Pollution CWE-624 — Executable Regular Expression Error12 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 62.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Micromatch Picomatch Jonschlinkert Picomatch Debian Node-anymatch +4 more

Timeline

PublishedMar 26

Description

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (int…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages8 packages

▶CVEListV5micromatch/picomatch< 2.3.2+2

▶npmmicromatch/picomatch4.0.0 — 4.0.4+2

▶NVDjonschlinkert/picomatch3.0.0 — 3.0.2+2

▶debiandebian/node-anymatch< node-anymatch 3.1.3+~cs8.0.6-1 (forky)

▶msrcmsrc/cbl2_reaper_3.1.1-22_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33672: Picomatch is a glob matcher written JavaScript↗2026-03-26

▶

OSV

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching↗2026-03-25

▶

GHSA

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching↗2026-03-25

▶

📋Vendor Advisories

Red Hat

picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions↗2026-03-26

▶

Microsoft

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching↗2026-03-10

▶

Debian

CVE-2026-33672: node-anymatch - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33672 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶