Platform
nodejs
Component
picomatch
Fixed in
4.0.1
3.0.1
2.3.3
4.0.4
CVE-2026-33672 describes a method injection vulnerability within the picomatch Node.js package. This flaw allows attackers to manipulate glob matching behavior through specially crafted POSIX bracket expressions, potentially leading to unintended file matches and data integrity issues. The vulnerability impacts versions of picomatch before 4.0.4, and a patch has been released to address the problem.
The method injection vulnerability in picomatch stems from how the POSIXREGEXSOURCE object handles inherited methods. Attackers can leverage this by injecting malicious POSIX bracket expressions, such as [[:constructor:]], which reference inherited method names. These methods are then implicitly converted to strings and incorporated into the generated regular expression. While this vulnerability does not enable remote code execution, it can have significant security implications. Incorrect glob matching can lead to unintended file selections, potentially exposing sensitive data or allowing unauthorized access to resources. This represents an integrity impact, as the intended behavior of the glob matching is compromised.
Currently, there is no public proof-of-concept (POC) available for CVE-2026-33672. The vulnerability was disclosed on 2026-03-25. Its EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. While no active exploitation campaigns have been reported, the ease of crafting malicious bracket expressions suggests a potential for future exploitation, particularly in environments where input validation is lacking.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33672 is to upgrade to picomatch version 4.0.4 or later. This version includes a fix that prevents the injection of inherited methods into the regular expression. If upgrading is not immediately feasible, consider implementing input validation to sanitize POSIX bracket expressions before passing them to picomatch. While not a complete solution, this can reduce the attack surface. Review any existing code that utilizes picomatch for glob matching and ensure that input is properly validated. After upgrading, confirm the fix by testing glob patterns with potentially malicious bracket expressions to verify that they no longer produce unexpected matches.
Update the picomatch version to 4.0.4, 3.0.2, or 2.3.2, or later, depending on the release line you use. If updating is not immediately possible, avoid passing untrusted glob patterns to picomatch. Consider sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33672 is a vulnerability where specially crafted POSIX bracket expressions can manipulate glob matching in picomatch, potentially leading to incorrect file selections and data integrity issues.
You are affected if you are using picomatch versions prior to 4.0.4 and your application processes user-supplied file paths or handles file uploads.
Upgrade to picomatch version 4.0.4 or later. If upgrading is not possible, implement input validation to sanitize POSIX bracket expressions.
No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the picomatch project's release notes and security advisories on their GitHub repository for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.