10.2.2
10.2.1
CVE-2026-26996 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the minimatch package, a popular glob matching library used in Node.js projects. This vulnerability allows an attacker to trigger exponential backtracking within the V8 JavaScript engine, leading to significant performance degradation and potential denial of service. The vulnerability affects versions 10.2.0 and earlier, and a fix is available in version 10.2.1.
The ReDoS vulnerability in minimatch arises from the use of excessive ` wildcards in glob patterns. When a pattern containing many consecutive characters is matched against a string that doesn't contain the expected literal character, the V8 regex engine performs exponential backtracking. This backtracking process consumes significant CPU resources, potentially freezing the Node.js process or causing it to crash. The time complexity of the vulnerability is O(4^N), where N is the number of characters. A pattern with 15 characters can take 2 seconds to process, while a pattern with 34 *` characters can effectively hang the system. This makes it possible to remotely cause a DoS condition by crafting malicious glob patterns.
CVE-2026-26996 was publicly disclosed on February 18, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is currently unavailable, but given the relatively straightforward nature of triggering ReDoS and the widespread use of minimatch in Node.js projects, the probability of exploitation is considered medium. No public proof-of-concept (PoC) code has been released, but the vulnerability is easily reproducible based on the provided description.
Node.js projects that rely on the minimatch package for glob pattern matching are at risk. This includes projects using file system watchers, build tools, and any application that processes user-supplied file paths or patterns. Projects using older versions of Node.js that may have transitive dependencies on vulnerable versions of minimatch are also at risk.
• nodejs / server:
npm list minimatchThis command will list the installed version of minimatch. If the version is less than 10.2.1, the system is vulnerable.
• nodejs / server:
grep -r 'minimatch.match' ./node_modules/minimatch/This command searches for the vulnerable match function within the minimatch module's source code. While not a direct indicator of exploitation, it can help confirm the presence of the vulnerable version.
• nodejs / server:
ps aux | grep -E 'node.*minimatch'This command searches for Node.js processes that are using the minimatch package. Monitor CPU usage of these processes for signs of excessive backtracking.
disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-26996 is to upgrade the minimatch package to version 10.2.1 or later. This version includes a fix that prevents the exponential backtracking behavior. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to restrict the complexity of glob patterns used in your application. While not a complete solution, this can reduce the attack surface. Monitor CPU usage and Node.js process health for signs of excessive backtracking. There are no specific WAF rules or detection signatures readily available for this specific ReDoS vulnerability, but general ReDoS detection rules might provide some protection.
Actualice la dependencia minimatch a la versión 10.2.1 o superior. Esto corrige la vulnerabilidad ReDoS. Ejecute `npm install minimatch@latest` o `yarn upgrade minimatch` para actualizar.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-26996 is a Regular Expression Denial of Service (ReDoS) vulnerability in the minimatch package for Node.js, allowing attackers to cause performance degradation or denial of service through crafted glob patterns.
You are affected if your Node.js project uses minimatch version 10.2.0 or earlier. Check your installed version using npm list minimatch.
Upgrade the minimatch package to version 10.2.1 or later using npm install [email protected].
There is currently no evidence of CVE-2026-26996 being actively exploited in the wild, but the vulnerability is easily reproducible and could be exploited.
Refer to the minimatch project's repository and release notes for the official advisory and details on the fix: [https://github.com/trysound/minimatch](https://github.com/trysound/minimatch)