Plataforma
nodejs
Componente
minimatch
Corrigido em
10.0.1
9.0.1
8.0.1
7.0.1
6.0.1
5.0.1
4.0.1
3.1.4
3.1.4
4.2.6
5.1.9
6.2.3
7.4.9
8.0.7
9.0.8
10.2.4
10.2.3
CVE-2026-27903 describes a denial-of-service vulnerability found in the minimatch library. The vulnerability arises from unbounded recursive backtracking within the matchOne() function when processing glob patterns with multiple non-adjacent GLOBSTAR segments. This can lead to excessive CPU usage and application stalls, particularly with complex patterns and long paths. The vulnerability affects versions of minimatch prior to 10.2.3, and a patch has been released.
CVE-2026-27903 in Node.js affects the handling of glob patterns with multiple non-adjacent ** (GLOBSTAR) segments. When the input path does not match the pattern, the matchOne() function performs unbounded recursive backtracking. This leads to a time complexity of O(C(n, k)), where 'n' is the number of path segments and 'k' is the number of globstars. In scenarios with a significant number of globstars (e.g., k=13), execution can exceed 15 seconds, causing a denial-of-service (DoS). The absence of memoization or a call budget exacerbates the issue, allowing resource consumption to spike. This vulnerability is particularly concerning in applications that process file or directory paths extensively, such as web servers or build tools.
An attacker could exploit this vulnerability by providing a malicious glob pattern containing multiple non-adjacent ** segments and an input path that does not match. This could be achieved through a malicious HTTP request, a corrupted configuration file, or any other mechanism that allows the attacker to control the glob pattern used by Node.js. Successful exploitation can result in a denial-of-service, preventing the application from processing requests or performing critical tasks. The difficulty of exploitation depends on the attacker’s ability to influence the glob pattern used by the application.
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-27903 is to update Node.js to version 10.2.3 or higher. This version includes a fix that limits the recursion depth in the matchOne() function, preventing the unbounded backtracking. Additionally, it is recommended to validate and sanitize input paths before using them in glob patterns to reduce the attack surface. In environments where immediate updates are not possible, consider limiting the number of globstars allowed in glob patterns, although this may impact functionality. Monitoring CPU and memory usage in Node.js processes can help detect potential DoS attacks based on this vulnerability.
Atualize a dependência minimatch para a versão 10.2.3 ou superior. Isso corrige a vulnerabilidade ReDoS causada pelo backtracking combinatório na função matchOne() quando múltiplos segmentos GLOBSTAR não adjacentes são utilizados. Execute `npm install minimatch@latest` ou `yarn upgrade minimatch` para obter a versão mais recente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
A glob pattern is a string that uses wildcard characters to represent file or directory names. ** is a globstar that represents zero or more directories.
Version 10.2.3 includes a fix that limits the recursion depth in the matchOne() function, preventing the denial-of-service caused by the vulnerability.
You can consider limiting the number of globstars allowed in glob patterns or monitoring system resource usage.
If you are using a version of Node.js prior to 10.2.3 and process file paths with glob patterns, you are likely vulnerable.
Not necessarily. It affects applications that use the matchOne() function to process glob patterns, especially those that handle complex file paths.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.