Debian Node-Minimatch vulnerabilities

5 known vulnerabilities affecting debian/node-minimatch.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-27903HIGHCVSS 7.5fixed in node-minimatch 9.0.7-1 (sid)2026
CVE-2026-27903 [HIGH] CVE-2026-27903: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav... minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time comp
debian
CVE-2026-26996HIGHCVSS 8.7fixed in node-minimatch 9.0.7-1 (sid)2026
CVE-2026-26996 [HIGH] CVE-2026-26996: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav... minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? r
debian
CVE-2026-27904HIGHCVSS 7.5fixed in node-minimatch 9.0.7-1 (sid)2026
CVE-2026-27904 [HIGH] CVE-2026-27904: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav... minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))
debian
CVE-2022-3517HIGHCVSS 7.5fixed in node-minimatch 3.0.5+~3.0.5-1 (bookworm)2022
CVE-2022-3517 [HIGH] CVE-2022-3517: node-minimatch - A vulnerability was found in the minimatch package. This flaw allows a Regular E... A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. Scope: local bookworm: resolved (fixed in 3.0.5+~3.0.5-1) bullseye: resolved (fixed in 3.0.4+~3.0.3-1+deb11u1) forky: resolved (fixed in 3.0.5+~3.0.5-
debian
CVE-2016-10540LOWCVSS 7.5fixed in node-minimatch 3.0.3-1 (bookworm)2016
CVE-2016-10540 [HIGH] CVE-2016-10540: node-minimatch - Minimatch is a minimal matching utility that works by converting glob expression... Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter. Scope: local bookworm: resolved (fixed in 3.0.3-1) bullseye: resolved (fixed in 3.0.3-1) forky: resolved (fixed in
debian