Platform
nodejs
Component
picomatch
Opgelost in
4.0.1
3.0.1
2.3.3
4.0.4
CVE-2026-33672 describes a method injection vulnerability within the picomatch Node.js package. This flaw allows attackers to manipulate glob matching behavior through specially crafted POSIX bracket expressions, potentially leading to unintended file matches and data integrity issues. The vulnerability impacts versions of picomatch before 4.0.4, and a patch has been released to address the problem.
The method injection vulnerability in picomatch stems from how the POSIXREGEXSOURCE object handles inherited methods. Attackers can leverage this by injecting malicious POSIX bracket expressions, such as [[:constructor:]], which reference inherited method names. These methods are then implicitly converted to strings and incorporated into the generated regular expression. While this vulnerability does not enable remote code execution, it can have significant security implications. Incorrect glob matching can lead to unintended file selections, potentially exposing sensitive data or allowing unauthorized access to resources. This represents an integrity impact, as the intended behavior of the glob matching is compromised.
Currently, there is no public proof-of-concept (POC) available for CVE-2026-33672. The vulnerability was disclosed on 2026-03-25. Its EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. While no active exploitation campaigns have been reported, the ease of crafting malicious bracket expressions suggests a potential for future exploitation, particularly in environments where input validation is lacking.
Node.js applications that rely on picomatch for file path manipulation or glob matching are at risk. This includes applications that process user-supplied file paths or handle file uploads. Projects using older versions of picomatch, particularly those without robust input validation, are especially vulnerable.
• linux / server:
find / -name 'node_modules/picomatch*' -type d -print0 | xargs -0 grep -iE '[[:constructor:]]'• generic web: Inspect application logs for unusual file access patterns or errors related to glob matching after deployments using picomatch.
disclosure
Exploit Status
EPSS
0.17% (38% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-33672 is to upgrade to picomatch version 4.0.4 or later. This version includes a fix that prevents the injection of inherited methods into the regular expression. If upgrading is not immediately feasible, consider implementing input validation to sanitize POSIX bracket expressions before passing them to picomatch. While not a complete solution, this can reduce the attack surface. Review any existing code that utilizes picomatch for glob matching and ensure that input is properly validated. After upgrading, confirm the fix by testing glob patterns with potentially malicious bracket expressions to verify that they no longer produce unexpected matches.
Actualice la versión de picomatch a la 4.0.4, 3.0.2 o 2.3.2, o superior, dependiendo de la línea de lanzamiento que utilice. Si la actualización no es posible de inmediato, evite pasar patrones glob no confiables a picomatch. Considere sanitizar o rechazar patrones glob no confiables, especialmente aquellos que contengan clases de caracteres POSIX como `[[:...:]]`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33672 is a vulnerability where specially crafted POSIX bracket expressions can manipulate glob matching in picomatch, potentially leading to incorrect file selections and data integrity issues.
You are affected if you are using picomatch versions prior to 4.0.4 and your application processes user-supplied file paths or handles file uploads.
Upgrade to picomatch version 4.0.4 or later. If upgrading is not possible, implement input validation to sanitize POSIX bracket expressions.
No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the picomatch project's release notes and security advisories on their GitHub repository for the official advisory.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.