Minimatch Project Minimatch vulnerabilities

5 known vulnerabilities affecting minimatch_project/minimatch.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH5

Vulnerabilities

Page 1 of 1

CVE-2026-27903HIGHCVSS 7.5fixed in 3.1.3≥ 4.0.0, < 4.2.5+6 more2026-02-26

CVE-2026-27903 [HIGH] CWE-407 CVE-2026-27903: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The t

CVE-2026-27904HIGHCVSS 7.5fixed in 3.1.4≥ 4.0.0, < 4.2.5+6 more2026-02-26

CVE-2026-27904 [HIGH] CWE-1333 CVE-2026-27904: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*

CVE-2026-26996HIGHCVSS 8.7≥ 3.0.0, < 3.1.3≥ 4.0.0, < 4.2.4+6 more2026-02-20

CVE-2026-26996 [HIGH] CWE-1333 CVE-2026-26996: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objec minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate

CVE-2022-3517HIGHCVSS 7.5fixed in 3.0.5vminimatch versions prior to 3.0.52022-10-17

CVE-2022-3517 [HIGH] CWE-400 CVE-2022-3517: A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

CVE-2016-10540HIGHCVSS 7.5≤ 3.0.12018-05-31

CVE-2016-10540 [HIGH] CWE-400 CVE-2016-10540: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `R Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.