Platform
nodejs
Component
minimatch
Fixed in
10.0.1
9.0.1
8.0.1
7.0.1
6.0.1
5.0.1
4.0.1
3.1.4
3.1.4
4.2.6
5.1.9
6.2.3
7.4.9
8.0.7
9.0.8
10.2.4
10.2.3
CVE-2026-27903 describes a denial-of-service vulnerability found in the minimatch library. The vulnerability arises from unbounded recursive backtracking within the matchOne() function when processing glob patterns with multiple non-adjacent GLOBSTAR segments. This can lead to excessive CPU usage and application stalls, particularly with complex patterns and long paths. The vulnerability affects versions of minimatch prior to 10.2.3, and a patch has been released.
CVE-2026-27903 in Node.js affects the handling of glob patterns with multiple non-adjacent ** (GLOBSTAR) segments. When the input path does not match the pattern, the matchOne() function performs unbounded recursive backtracking. This leads to a time complexity of O(C(n, k)), where 'n' is the number of path segments and 'k' is the number of globstars. In scenarios with a significant number of globstars (e.g., k=13), execution can exceed 15 seconds, causing a denial-of-service (DoS). The absence of memoization or a call budget exacerbates the issue, allowing resource consumption to spike. This vulnerability is particularly concerning in applications that process file or directory paths extensively, such as web servers or build tools.
An attacker could exploit this vulnerability by providing a malicious glob pattern containing multiple non-adjacent ** segments and an input path that does not match. This could be achieved through a malicious HTTP request, a corrupted configuration file, or any other mechanism that allows the attacker to control the glob pattern used by Node.js. Successful exploitation can result in a denial-of-service, preventing the application from processing requests or performing critical tasks. The difficulty of exploitation depends on the attacker’s ability to influence the glob pattern used by the application.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27903 is to update Node.js to version 10.2.3 or higher. This version includes a fix that limits the recursion depth in the matchOne() function, preventing the unbounded backtracking. Additionally, it is recommended to validate and sanitize input paths before using them in glob patterns to reduce the attack surface. In environments where immediate updates are not possible, consider limiting the number of globstars allowed in glob patterns, although this may impact functionality. Monitoring CPU and memory usage in Node.js processes can help detect potential DoS attacks based on this vulnerability.
Update the minimatch dependency to version 10.2.3 or higher. This fixes the ReDoS vulnerability caused by combinatorial backtracking in the `matchOne()` function when using multiple non-adjacent GLOBSTAR segments. Run `npm install minimatch@latest` or `yarn upgrade minimatch` to get the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
A glob pattern is a string that uses wildcard characters to represent file or directory names. ** is a globstar that represents zero or more directories.
Version 10.2.3 includes a fix that limits the recursion depth in the matchOne() function, preventing the denial-of-service caused by the vulnerability.
You can consider limiting the number of globstars allowed in glob patterns or monitoring system resource usage.
If you are using a version of Node.js prior to 10.2.3 and process file paths with glob patterns, you are likely vulnerable.
Not necessarily. It affects applications that use the matchOne() function to process glob patterns, especially those that handle complex file paths.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.