CVE-2026-26996
HIGH
GHSA-3ppc-4f35-3m26
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Analysis
Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and dependencies using minimatch library and assess exposure scope. Within 7 days: Apply available patches to all affected systems in development, staging, and production environments; prioritize customer-facing and critical systems first. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today