minimatch 存在模式中重复通配符与不匹配的字面量导致的 ReDoS 问题
平台
nodejs
组件
minimatch
修复版本
10.2.2
10.2.1
CVE-2026-26996 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the minimatch package, a popular glob matching library used in Node.js projects. This vulnerability allows an attacker to trigger exponential backtracking within the V8 JavaScript engine, leading to significant performance degradation and potential denial of service. The vulnerability affects versions 10.2.0 and earlier, and a fix is available in version 10.2.1.
影响与攻击场景翻译中…
The ReDoS vulnerability in minimatch arises from the use of excessive ` wildcards in glob patterns. When a pattern containing many consecutive characters is matched against a string that doesn't contain the expected literal character, the V8 regex engine performs exponential backtracking. This backtracking process consumes significant CPU resources, potentially freezing the Node.js process or causing it to crash. The time complexity of the vulnerability is O(4^N), where N is the number of characters. A pattern with 15 characters can take 2 seconds to process, while a pattern with 34 *` characters can effectively hang the system. This makes it possible to remotely cause a DoS condition by crafting malicious glob patterns.
利用背景翻译中…
CVE-2026-26996 was publicly disclosed on February 18, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is currently unavailable, but given the relatively straightforward nature of triggering ReDoS and the widespread use of minimatch in Node.js projects, the probability of exploitation is considered medium. No public proof-of-concept (PoC) code has been released, but the vulnerability is easily reproducible based on the provided description.
哪些人处于风险中翻译中…
Node.js projects that rely on the minimatch package for glob pattern matching are at risk. This includes projects using file system watchers, build tools, and any application that processes user-supplied file paths or patterns. Projects using older versions of Node.js that may have transitive dependencies on vulnerable versions of minimatch are also at risk.
检测步骤翻译中…
• nodejs / server:
npm list minimatchThis command will list the installed version of minimatch. If the version is less than 10.2.1, the system is vulnerable.
• nodejs / server:
grep -r 'minimatch.match' ./node_modules/minimatch/This command searches for the vulnerable match function within the minimatch module's source code. While not a direct indicator of exploitation, it can help confirm the presence of the vulnerable version.
• nodejs / server:
ps aux | grep -E 'node.*minimatch'This command searches for Node.js processes that are using the minimatch package. Monitor CPU usage of these processes for signs of excessive backtracking.
攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
受影响的软件
软件包信息
- 最后更新
- 10.2.5最近
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-26996 is to upgrade the minimatch package to version 10.2.1 or later. This version includes a fix that prevents the exponential backtracking behavior. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to restrict the complexity of glob patterns used in your application. While not a complete solution, this can reduce the attack surface. Monitor CPU usage and Node.js process health for signs of excessive backtracking. There are no specific WAF rules or detection signatures readily available for this specific ReDoS vulnerability, but general ReDoS detection rules might provide some protection.
修复方法翻译中…
Actualice la dependencia minimatch a la versión 10.2.1 o superior. Esto corrige la vulnerabilidad ReDoS. Ejecute `npm install minimatch@latest` o `yarn upgrade minimatch` para actualizar.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-26996 — ReDoS in minimatch for Node.js?
CVE-2026-26996 is a Regular Expression Denial of Service (ReDoS) vulnerability in the minimatch package for Node.js, allowing attackers to cause performance degradation or denial of service through crafted glob patterns.
Am I affected by CVE-2026-26996 in minimatch?
You are affected if your Node.js project uses minimatch version 10.2.0 or earlier. Check your installed version using npm list minimatch.
How do I fix CVE-2026-26996 in minimatch?
Upgrade the minimatch package to version 10.2.1 or later using npm install [email protected].
Is CVE-2026-26996 being actively exploited?
There is currently no evidence of CVE-2026-26996 being actively exploited in the wild, but the vulnerability is easily reproducible and could be exploited.
Where can I find the official minimatch advisory for CVE-2026-26996?
Refer to the minimatch project's repository and release notes for the official advisory and details on the fix: [https://github.com/trysound/minimatch](https://github.com/trysound/minimatch)