Node.js CVE-2026-33671
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on picomatch (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionGitHub Advisory
Impact
picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.
Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.
Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.
Patches
This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.
Users should upgrade to one of these versions or later, depending on their supported release line.
Workarounds
If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.
Possible mitigations include:
- disable extglob support for untrusted patterns by using
noextglob: true - reject or sanitize patterns containing nested extglobs or extglob quantifiers such as
+()and*() - enforce strict allowlists for accepted pattern syntax
- run matching in an isolated worker or separate process with time and resource limits
- apply application-level request throttling and input validation for any endpoint that accepts glob patterns
Resources
- Picomatch repository: https://github.com/micromatch/picomatch
lib/parse.jsandlib/constants.jsare involved in generating the vulnerable regex forms- Comparable ReDoS precedent: CVE-2024-4067 (
micromatch) - Comparable generated-regex precedent: CVE-2024-45296 (
path-to-regexp)
AnalysisAI
picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.
Technical ContextAI
picomatch is a popular npm package used for matching file paths against glob patterns, commonly employed in build tools, testing frameworks, and file processing utilities throughout the Node.js ecosystem. The vulnerability is rooted in CWE-1333 (Inefficient Regular Expression Complexity), where the library's parsing logic in lib/parse.js and lib/constants.js generates regular expressions with catastrophic backtracking behavior when processing extglob quantifiers like '+()' and '*()', particularly when combined with overlapping alternatives or nested structures. For example, the pattern '+(a|aa)' compiles to the regex '^(?:(?=.)(?:a|aa)+)$' which exhibits exponential time complexity on non-matching inputs. This issue parallels CVE-2024-4067 in the related micromatch library and CVE-2024-45296 in path-to-regexp, both involving ReDoS through generated regular expressions.
RemediationAI
Upgrade picomatch to version 4.0.4, 3.0.2, or 2.3.2 or later depending on your release line, as detailed in the vendor advisory at https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj. The patch commit is available at https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d for verification. If immediate upgrading is not feasible, implement defense-in-depth measures: disable extglob support for untrusted patterns using the 'noextglob: true' option, reject patterns containing nested extglobs or quantifiers like '+()' and '*()', enforce strict allowlists for accepted pattern syntax, isolate pattern matching operations in worker threads or separate processes with timeout limits, and apply rate limiting and input validation on endpoints accepting glob patterns.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today