8.7

CVE-2026-26996

Medienbericht
Exploit

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 3.0.0 < 3.1.3
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 4.0.0 < 4.2.4
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 5.0.0 < 5.1.7
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 6.0.0 < 6.2.1
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 7.0.0 < 7.4.7
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 8.0.0 < 8.0.5
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 9.0.0 < 9.0.6
Minimatch ProjectMinimatch SwPlatformnode.js Version >= 10.0.0 < 10.2.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.4
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 15:09
https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
Patch
https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
Vendor Advisory
Exploit