CVE-2026-33671
Regular Expression DoS in Picomatch Glob Matcher Causes CPU Exhaustion
Publication date: 2026-03-26
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jonschlinkert | picomatch | to 2.3.2 (exc) |
| jonschlinkert | picomatch | From 3.0.0 (inc) to 3.0.2 (exc) |
| jonschlinkert | picomatch | From 4.0.0 (inc) to 4.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Picomatch JavaScript library, which is used for matching glob patterns. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when processing specially crafted extglob patterns.
Certain extglob quantifiers like +() and *(), especially when combined with overlapping alternatives or nested extglobs, cause the library to compile regular expressions that can experience catastrophic backtracking on inputs that do not match. This leads to excessive CPU usage and blocks the Node.js event loop.
The vulnerability is exploitable when untrusted users can supply glob patterns that are passed to picomatch for compilation or matching. Applications using only trusted, developer-controlled patterns are less likely to be affected.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by providing crafted glob patterns that cause picomatch to consume excessive CPU resources. This results in blocking the Node.js event loop, effectively causing a denial of service (DoS) condition.
Applications that accept glob patterns from untrusted users are at risk of being made unresponsive or slowed down significantly, impacting availability and performance.
If the application only uses trusted, developer-controlled glob patterns, the risk is much lower.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when untrusted glob patterns containing certain extglob quantifiers such as `+()` and `*()` are processed by vulnerable versions of picomatch, leading to excessive CPU consumption and denial of service.
Detection involves identifying if your application uses picomatch versions prior to 4.0.4, 3.0.2, or 2.3.2 and whether it accepts untrusted glob patterns that include extglob quantifiers or nested extglobs.
Since no specific commands or network detection methods are provided, you can start by checking your package version with commands like `npm list picomatch` or `yarn list picomatch` to verify the installed version.
Additionally, monitoring CPU usage spikes or event loop blocking in Node.js applications when processing glob patterns may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading picomatch to version 4.0.4, 3.0.2, or 2.3.2 or later, depending on your supported release line.
- Avoid passing untrusted glob patterns to picomatch.
- Disable extglob support for untrusted patterns by using the `noextglob: true` option.
- Reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`.
- Enforce strict allowlists for accepted pattern syntax.
- Run matching in an isolated worker or separate process with time and resource limits.
- Apply application-level request throttling and input validation for any endpoint that accepts glob patterns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.