Platform
nodejs
Component
minimatch
Fixed in
10.0.1
9.0.1
8.0.1
7.0.1
6.0.1
5.0.1
4.0.1
3.1.5
10.2.3
CVE-2026-27904 describes a Denial of Service (DoS) vulnerability within the minimatch library, a widely used component in Node.js projects for glob pattern matching. This vulnerability stems from the use of nested *() and +() extglobs, which can generate regular expressions containing unbounded quantifiers. These expressions are susceptible to catastrophic backtracking in V8, causing significant performance degradation and potential service unavailability. Affected versions include minimatch releases prior to 10.2.3; upgrading resolves the issue.
The core of the vulnerability lies in the way minimatch translates extended glob patterns into regular expressions. Specifically, nested () and +() patterns create regular expressions with unbounded quantifiers (e.g., (?:(?:a|b))*). When presented with a carefully crafted input string, the V8 JavaScript engine attempts to match this regex, leading to exponential backtracking. This process consumes excessive CPU resources and can stall the Node.js process for extended periods, effectively rendering the application unresponsive. The minimum viable pattern to trigger this is only 12 bytes, making exploitation relatively straightforward. The impact extends to any Node.js application relying on minimatch for file or path matching, potentially disrupting critical services and impacting user experience.
This vulnerability was publicly disclosed on February 26, 2026. While no active exploitation campaigns have been definitively linked to CVE-2026-27904 at the time of writing, the ease of triggering the vulnerability with a short pattern suggests a potential for exploitation. The vulnerability is not currently listed on CISA KEV, but its potential for widespread impact warrants monitoring. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27904 is to upgrade the minimatch dependency to version 10.2.3 or later. This version includes a fix that prevents the generation of problematic regular expressions. If upgrading is not immediately feasible due to compatibility constraints or breaking changes, consider implementing input validation to restrict the use of nested *() and +() patterns in glob strings. While not a complete solution, this can reduce the attack surface. Additionally, consider implementing rate limiting or resource quotas on the Node.js process to prevent a single malicious request from consuming excessive resources and impacting other users. After upgrading, confirm the fix by attempting to trigger the vulnerable pattern with a known malicious input and verifying that the application remains responsive.
Update the minimatch dependency to version 10.2.3 or higher. This will fix the ReDoS vulnerability caused by regular expressions with catastrophic backtracking. Run `npm install minimatch@latest` or `yarn upgrade minimatch@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27904 is a Denial of Service vulnerability in the minimatch library for Node.js, allowing attackers to trigger catastrophic backtracking in regular expressions, leading to service stalls.
You are affected if you are using minimatch versions prior to 10.2.3 in your Node.js projects and are processing user-supplied glob patterns.
Upgrade the minimatch dependency to version 10.2.3 or later. If immediate upgrade is not possible, implement input validation to restrict the use of nested *() and +() patterns.
While no active exploitation campaigns have been confirmed, the ease of triggering the vulnerability suggests a potential for exploitation and warrants monitoring.
Refer to the minimatch project's repository and release notes for the official advisory and details on the fix: https://github.com/trysound/node-minimatch
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.