What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade minimatch to a fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4 or later.

Alternatively, you can disable extglob processing by passing the option `{ noext: true }` to minimatch, which eliminates the vulnerability and drastically reduces matching time for malicious inputs.

Review your application for any user-controlled glob patterns and ensure extglob usage is either disabled or properly sanitized.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-27904 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the npm package minimatch. It occurs because nested *() or +() extglob patterns generate regular expressions with nested unbounded quantifiers, which cause catastrophic backtracking in the V8 JavaScript engine.

Specifically, patterns like *(*(*(a|b))) produce regexes such as /^(?:(?:(?:a|b)*)*)*$/, which lead to exponential backtracking when matching certain inputs. This can cause the minimatch function to stall for several seconds or even minutes, severely impacting performance.

The vulnerability is triggered by the default minimatch API with no special options, and the minimum viable pattern to exploit it is only 12 bytes long. Both *() and +() extglobs are affected.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause severe denial of service by exhausting CPU resources and blocking the event loop in Node.js applications using minimatch. When exploited, it can stall the application for several seconds to minutes, depending on the pattern nesting and input size.

Any application that accepts user-controlled glob patterns and uses minimatch without disabling extglobs is vulnerable. This includes build tools, task runners, multi-tenant platforms with user-configured glob rules, and CI/CD pipelines processing user-submitted configurations.

The impact is availability loss due to event loop blocking and CPU exhaustion, with no impact on confidentiality or integrity.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying usage of vulnerable minimatch versions in your environment and by testing for the presence of nested *() or +() extglob patterns that cause catastrophic backtracking.'}, {'type': 'paragraph', 'content': 'You can check the installed minimatch package version by running commands such as:'}, {'type': 'list_item', 'content': 'npm ls minimatch'}, {'type': 'list_item', 'content': 'yarn list minimatch'}, {'type': 'paragraph', 'content': 'To detect if your application is vulnerable to the ReDoS issue, you can test with crafted glob patterns like `*(*(*(a|b)))` and measure if the matching operation stalls or causes high CPU usage.'}, {'type': 'paragraph', 'content': "For example, running a Node.js script that uses minimatch with a nested extglob pattern and a long input string (e.g., many repeated 'a' characters followed by a 'z') can reveal the vulnerability by causing significant delays or CPU exhaustion."}] [1]

Useful 0 Not Useful 0