Can you explain this vulnerability to me?

CVE-2026-27903 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the npm package minimatch, which is used to convert glob expressions into JavaScript RegExp objects.

The vulnerability occurs in the function matchOne(), which performs unbounded recursive backtracking when matching glob patterns containing multiple non-adjacent GLOBSTAR segments (`**`). When the input path does not match the pattern, matchOne() tries to match the remaining pattern against every suffix of the remaining file segments for each GLOBSTAR, causing a combinatorial explosion in recursive calls.

This results in a time complexity of O(C(n, k)) (binomial), where n is the number of path segments and k is the number of GLOBSTAR segments. For example, with k=11 and n=30, a call to minimatch stalls for about 5 seconds; with k=13, it exceeds 15 seconds.

There is no memoization, depth counter, or call budget to limit recursion, so the entire call tree is explored before returning false on non-matching inputs, leading to significant delays and potential denial of service.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause denial of service by stalling the Node.js event loop for tens of seconds per invocation when processing crafted glob patterns containing multiple GLOBSTAR segments.

An attacker who can influence the glob pattern passed to minimatch can exploit this to block or significantly delay application processes, effectively causing service outages or degraded performance.

• Build tools and task runners that accept user-supplied glob arguments (e.g., ESLint, Webpack, Rollup).
• Multi-tenant systems where one tenant configures glob-based rules running in a shared process.
• Admin or developer interfaces that accept ignore-rule or filter configuration as globs.
• CI/CD pipelines that evaluate user-submitted config files containing glob patterns.

The attack requires no privileges or user interaction and can be executed remotely, making it highly impactful.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if your system or network is running a vulnerable version of the minimatch package (versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3). Detection involves checking for the presence of minimatch in your project dependencies and verifying its version.

You can use commands to check the installed version of minimatch in your Node.js projects, for example:

• npm ls minimatch
• yarn list minimatch

Additionally, monitoring for symptoms of the vulnerability includes observing unusually long stalls or delays in processes that use glob pattern matching, especially when glob patterns contain multiple non-adjacent GLOBSTAR (`**`) segments.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the minimatch package to a patched version that fixes the vulnerability. The fixed versions are 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 and later.

If upgrading is not immediately possible, consider restricting or sanitizing user input that influences glob patterns passed to minimatch to prevent crafted patterns containing multiple non-adjacent GLOBSTAR segments.

Also, monitor your systems for signs of event loop stalls or denial of service caused by this vulnerability, especially in build tools, task runners, multi-tenant systems, admin interfaces, or CI/CD pipelines that use minimatch.

Useful 0 Not Useful 0