Plattform
nodejs
Komponente
minimatch
Behoben in
10.0.1
9.0.1
8.0.1
7.0.1
6.0.1
5.0.1
4.0.1
3.1.5
10.2.3
CVE-2026-27904 describes a Denial of Service (DoS) vulnerability within the minimatch library, a widely used component in Node.js projects for glob pattern matching. This vulnerability stems from the use of nested *() and +() extglobs, which can generate regular expressions containing unbounded quantifiers. These expressions are susceptible to catastrophic backtracking in V8, causing significant performance degradation and potential service unavailability. Affected versions include minimatch releases prior to 10.2.3; upgrading resolves the issue.
The core of the vulnerability lies in the way minimatch translates extended glob patterns into regular expressions. Specifically, nested () and +() patterns create regular expressions with unbounded quantifiers (e.g., (?:(?:a|b))*). When presented with a carefully crafted input string, the V8 JavaScript engine attempts to match this regex, leading to exponential backtracking. This process consumes excessive CPU resources and can stall the Node.js process for extended periods, effectively rendering the application unresponsive. The minimum viable pattern to trigger this is only 12 bytes, making exploitation relatively straightforward. The impact extends to any Node.js application relying on minimatch for file or path matching, potentially disrupting critical services and impacting user experience.
This vulnerability was publicly disclosed on February 26, 2026. While no active exploitation campaigns have been definitively linked to CVE-2026-27904 at the time of writing, the ease of triggering the vulnerability with a short pattern suggests a potential for exploitation. The vulnerability is not currently listed on CISA KEV, but its potential for widespread impact warrants monitoring. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Applications utilizing Node.js and relying on the minimatch library for file system operations or path matching are at risk. This includes web servers, build tools, and any Node.js application that processes user-supplied file paths or glob patterns. Projects using older versions of Node.js or those with complex build configurations are particularly vulnerable.
• nodejs / server:
ps aux | grep -i 'minimatch' | grep -v grep | awk '{print $2}' | xargs -n 1 strace -e trace=regexp -p• nodejs / server:
npm list minimatch | grep -i '10.2.2' # Check for vulnerable versions• generic web: Inspect Node.js application logs for unusually high CPU usage or long-running requests that may indicate catastrophic backtracking.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27904 is to upgrade the minimatch dependency to version 10.2.3 or later. This version includes a fix that prevents the generation of problematic regular expressions. If upgrading is not immediately feasible due to compatibility constraints or breaking changes, consider implementing input validation to restrict the use of nested *() and +() patterns in glob strings. While not a complete solution, this can reduce the attack surface. Additionally, consider implementing rate limiting or resource quotas on the Node.js process to prevent a single malicious request from consuming excessive resources and impacting other users. After upgrading, confirm the fix by attempting to trigger the vulnerable pattern with a known malicious input and verifying that the application remains responsive.
Actualice la dependencia minimatch a la versión 10.2.3 o superior. Esto solucionará la vulnerabilidad de ReDoS causada por expresiones regulares con retroceso catastrófico. Ejecute `npm install minimatch@latest` o `yarn upgrade minimatch@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27904 is a Denial of Service vulnerability in the minimatch library for Node.js, allowing attackers to trigger catastrophic backtracking in regular expressions, leading to service stalls.
You are affected if you are using minimatch versions prior to 10.2.3 in your Node.js projects and are processing user-supplied glob patterns.
Upgrade the minimatch dependency to version 10.2.3 or later. If immediate upgrade is not possible, implement input validation to restrict the use of nested *() and +() patterns.
While no active exploitation campaigns have been confirmed, the ease of triggering the vulnerability suggests a potential for exploitation and warrants monitoring.
Refer to the minimatch project's repository and release notes for the official advisory and details on the fix: https://github.com/trysound/node-minimatch
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.