24h | 7d | 30d

Overview

  • isaacs
  • minimatch

20 Feb 2026
Published
20 Feb 2026
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.05%

KEV

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 10 hours ago

Bluesky

Profile picture fallback
~Socket~ The popular minimatch npm package has three high-severity ReDoS vulnerabilities causing event loop starvation in Node.js. - IOCs: CVE-2026-27904, CVE-2026-27903, CVE-2026-26996 - #NodeJS #ReDoS #ThreatIntel #npm
  • 0
  • 1
  • 0
  • 10h ago
Showing 61 to 61 of 61 CVEs