CVE-2026-27904
Received Received - Intake
Catastrophic Backtracking in minimatch Extglobs Causes Denial of Service

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27904
EUVD
EUVD-2026-8802
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
minimatch_project minimatch to 3.1.4 (exc)
minimatch_project minimatch From 10.0.0 (inc) to 10.2.3 (exc)
minimatch_project minimatch From 4.0.0 (inc) to 4.2.5 (exc)
minimatch_project minimatch From 5.0.0 (inc) to 5.1.8 (exc)
minimatch_project minimatch From 6.0.0 (inc) to 6.2.2 (exc)
minimatch_project minimatch From 7.0.0 (inc) to 7.4.8 (exc)
minimatch_project minimatch From 8.0.0 (inc) to 8.0.6 (exc)
minimatch_project minimatch From 9.0.0 (inc) to 9.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade minimatch to a fixed version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4 or later.

Alternatively, you can disable extglob processing by passing the option `{ noext: true }` to minimatch, which eliminates the vulnerability and drastically reduces matching time for malicious inputs.

Review your application for any user-controlled glob patterns and ensure extglob usage is either disabled or properly sanitized.

Executive Summary

CVE-2026-27904 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the npm package minimatch. It occurs because nested *() or +() extglob patterns generate regular expressions with nested unbounded quantifiers, which cause catastrophic backtracking in the V8 JavaScript engine.

Specifically, patterns like *(*(*(a|b))) produce regexes such as /^(?:(?:(?:a|b)*)*)*$/, which lead to exponential backtracking when matching certain inputs. This can cause the minimatch function to stall for several seconds or even minutes, severely impacting performance.

The vulnerability is triggered by the default minimatch API with no special options, and the minimum viable pattern to exploit it is only 12 bytes long. Both *() and +() extglobs are affected.

Impact Analysis

This vulnerability can cause severe denial of service by exhausting CPU resources and blocking the event loop in Node.js applications using minimatch. When exploited, it can stall the application for several seconds to minutes, depending on the pattern nesting and input size.

Any application that accepts user-controlled glob patterns and uses minimatch without disabling extglobs is vulnerable. This includes build tools, task runners, multi-tenant platforms with user-configured glob rules, and CI/CD pipelines processing user-submitted configurations.

The impact is availability loss due to event loop blocking and CPU exhaustion, with no impact on confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying usage of vulnerable minimatch versions in your environment and by testing for the presence of nested *() or +() extglob patterns that cause catastrophic backtracking.'}, {'type': 'paragraph', 'content': 'You can check the installed minimatch package version by running commands such as:'}, {'type': 'list_item', 'content': 'npm ls minimatch'}, {'type': 'list_item', 'content': 'yarn list minimatch'}, {'type': 'paragraph', 'content': 'To detect if your application is vulnerable to the ReDoS issue, you can test with crafted glob patterns like `*(*(*(a|b)))` and measure if the matching operation stalls or causes high CPU usage.'}, {'type': 'paragraph', 'content': "For example, running a Node.js script that uses minimatch with a nested extglob pattern and a long input string (e.g., many repeated 'a' characters followed by a 'z') can reveal the vulnerability by causing significant delays or CPU exhaustion."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart