प्लेटफ़ॉर्म
nodejs
घटक
minimatch
में ठीक किया गया
10.0.1
9.0.1
8.0.1
7.0.1
6.0.1
5.0.1
4.0.1
3.1.4
3.1.4
4.2.6
5.1.9
6.2.3
7.4.9
8.0.7
9.0.8
10.2.4
10.2.3
CVE-2026-27903 describes a denial-of-service vulnerability found in the minimatch library. The vulnerability arises from unbounded recursive backtracking within the matchOne() function when processing glob patterns with multiple non-adjacent GLOBSTAR segments. This can lead to excessive CPU usage and application stalls, particularly with complex patterns and long paths. The vulnerability affects versions of minimatch prior to 10.2.3, and a patch has been released.
CVE-2026-27903 in Node.js affects the handling of glob patterns with multiple non-adjacent ** (GLOBSTAR) segments. When the input path does not match the pattern, the matchOne() function performs unbounded recursive backtracking. This leads to a time complexity of O(C(n, k)), where 'n' is the number of path segments and 'k' is the number of globstars. In scenarios with a significant number of globstars (e.g., k=13), execution can exceed 15 seconds, causing a denial-of-service (DoS). The absence of memoization or a call budget exacerbates the issue, allowing resource consumption to spike. This vulnerability is particularly concerning in applications that process file or directory paths extensively, such as web servers or build tools.
An attacker could exploit this vulnerability by providing a malicious glob pattern containing multiple non-adjacent ** segments and an input path that does not match. This could be achieved through a malicious HTTP request, a corrupted configuration file, or any other mechanism that allows the attacker to control the glob pattern used by Node.js. Successful exploitation can result in a denial-of-service, preventing the application from processing requests or performing critical tasks. The difficulty of exploitation depends on the attacker’s ability to influence the glob pattern used by the application.
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-27903 is to update Node.js to version 10.2.3 or higher. This version includes a fix that limits the recursion depth in the matchOne() function, preventing the unbounded backtracking. Additionally, it is recommended to validate and sanitize input paths before using them in glob patterns to reduce the attack surface. In environments where immediate updates are not possible, consider limiting the number of globstars allowed in glob patterns, although this may impact functionality. Monitoring CPU and memory usage in Node.js processes can help detect potential DoS attacks based on this vulnerability.
Actualice la dependencia minimatch a la versión 10.2.3 o superior. Esto corrige la vulnerabilidad ReDoS causada por el backtracking combinatorio en la función matchOne() cuando se utilizan múltiples segmentos GLOBSTAR no adyacentes. Ejecute `npm install minimatch@latest` o `yarn upgrade minimatch` para obtener la versión más reciente.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
A glob pattern is a string that uses wildcard characters to represent file or directory names. ** is a globstar that represents zero or more directories.
Version 10.2.3 includes a fix that limits the recursion depth in the matchOne() function, preventing the denial-of-service caused by the vulnerability.
You can consider limiting the number of globstars allowed in glob patterns or monitoring system resource usage.
If you are using a version of Node.js prior to 10.2.3 and process file paths with glob patterns, you are likely vulnerable.
Not necessarily. It affects applications that use the matchOne() function to process glob patterns, especially those that handle complex file paths.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।