Prototype Pollution
CVE-2026-33672
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on picomatch (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionGitHub Advisory
Impact
picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.
This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.
All users of affected picomatch versions that process untrusted or user-controlled glob patterns are potentially impacted.
Patches
This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.
Users should upgrade to one of these versions or later, depending on their supported release line.
Workarounds
If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.
Possible mitigations include:
- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like
[[:...:]]. - Avoiding the use of POSIX bracket expressions if user input is involved.
- Manually patching the library by modifying
POSIX_REGEX_SOURCEto use a null prototype:
const POSIX_REGEX_SOURCE = {
__proto__: null,
alnum: 'a-zA-Z0-9',
alpha: 'a-zA-Z',
// ... rest unchanged
};
### Resources
- fix for similar issue: https://github.com/micromatch/picomatch/pull/144
- picomatch repository https://github.com/micromatch/picomatchAnalysisAI
picomatch is vulnerable to a method injection vulnerability (CWE-1321) in its POSIX_REGEX_SOURCE object that allows specially crafted POSIX bracket expressions like [[:constructor:]] to reference inherited Object.prototype methods, causing these methods to be stringified and injected into generated regular expressions. This affects all versions of the npm package picomatch prior to 2.3.2, 3.0.2, and 4.0.4, and can cause incorrect glob matching behavior leading to integrity violations where patterns match unintended filenames; while this does not enable remote code execution, it can compromise security-relevant logic in applications using glob matching for filtering, validation, or access control. The vulnerability is not listed in CISA KEV and has no widely published proof-of-concept, but patches are available from the vendor.
Technical ContextAI
picomatch is a popular npm package (CPE: pkg:npm/picomatch) used for glob pattern matching and file path filtering in Node.js applications. The vulnerability stems from CWE-1321 (Improper Validation of Unsafe Equivalence in Regular Expression) combined with prototype pollution concepts. The POSIX_REGEX_SOURCE object, which maps POSIX character class names (like alnum, alpha, digit) to their regex equivalents, inherits from Object.prototype due to standard JavaScript object construction. When processing user-supplied glob patterns containing malicious POSIX bracket expressions such as [[:constructor:]], the library does not sanitize these inputs before interpolating them into regex patterns. JavaScript's prototype chain allows access to inherited properties and methods, and when these method references are stringified and embedded into the regular expression source code, they alter the matching behavior in unintended ways. This is a direct result of insufficient input validation of POSIX character class syntax.
RemediationAI
Upgrade picomatch to version 2.3.2 or later (2.x line), 3.0.2 or later (3.x line), or 4.0.4 or later (4.x line) depending on the currently deployed release line. See the official vendor advisory at https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p for patch details and the fix commit at https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903. If immediate patching is not possible, implement input validation by sanitizing or rejecting untrusted glob patterns that contain POSIX character class syntax (e.g., patterns matching /\[\[:[^:]+:\]\]/), or avoid using POSIX bracket expressions for user-controlled input. As a temporary manual patch, modify the POSIX_REGEX_SOURCE object to use a null prototype (__proto__: null) to prevent prototype chain traversal, though this should only serve as a stopgap until the vendor patch is deployed.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today