minimatch Fixes Three High-Severity ReDoS Flaws
GitHub has issued three high-severity security advisories for minimatch, a cornerstone npm package for glob pattern matching in JavaScript. Published between February 16 and 24, these flaws expose Node.js applications to Regular Expression Denial of Service (ReDoS) attacks, potentially starving the event loop with malicious patterns.
With minimatch racking up 472 million weekly downloads, the vulnerabilities ripple across build tools, bundlers, test runners, and package managers.
The advisories, coordinated by maintainer Isaac Schlueter , include backported fixes across major versions.
Three High-Severity ReDoS Flaws
CVE-2026-27904: Nested Extglob ReDoS (GHSA-23c5-xmqv-rm74, Feb 24)
This flaw hits nested extglobs like *(*(*(a|b))). Minimatch@10.2.2 generates catastrophic regexes with unbounded nested quantifiers, such as /^(?:(?:(?:a|b)*)*)*$/. V8’s engine suffers exponential backtracking: a 12-byte pattern with an 18-character non-matching input stalls for over 7 seconds. Deeper nesting or longer inputs amplify delays.
CVSS 3.1 score: 7.5 (High, availability impact). Patched in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4. Mitigate via { noext: true }.
CVE-2026-27903: GLOBSTAR Combinatorial Backtracking (GHSA-7r86-cg39-jmmj, Feb 24)
Multiple non-adjacent ** (GLOBSTAR) Patterns trigger recursive suffix matching, exploding combinatorially. Eleven globstars on a 30-segment path take 5 seconds; 13 exceed 15 seconds. Node’s single-threaded loop blocks entirely same patched versions as above.
CVE-2026-26996: Repeated Wildcards ReDoS (GHSA-3ppc-4f35-3m26, Feb 16)
Consecutive * wildcards followed by absent literals create O(4^N) complexity (N = wildcards). Fifteen *seconds consume two seconds; more hang indefinitely. Each * spawns a regex group, forcing exhaustive splits. Patched in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3.
Minimatch’s transitive dependency status means vast exposure, even for indirect users in CI/CD, multi-tenant apps, or admin panels, who face risk. Attackers need only control glob inputs, such as user-supplied build args, ignore rules, or config files. A single invocation can DoS the process for seconds to minutes.
Patches surgically fix the regex and recursion logic, preserving behavior. Install via:
socket patch GHSA-23c5-xmqv-rm74
socket patch GHSA-7r86-cg39-jmmj
socket patch GHSA-3ppc-4f35-3m26Run post-npm install. Free for all; premium combined builds.
Update immediately, check npm ls minimatch , and audit dependents. These fixes avert ecosystem-wide disruptions in tools like webpack, Jest, and npm itself.
Site: cybersecuritypath.com
Reference: https://socket.dev/blog/minimatch-patches-3-high-severity-redos-vulnerabilities
About the Author
