CVE-2026-33672
Received Received - Intake
Method Injection in Picomatch Glob Matcher Causes Logic Errors

Publication date: 2026-03-26

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33672
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
jonschlinkert picomatch to 2.3.2 (exc)
jonschlinkert picomatch From 3.0.0 (inc) to 3.0.2 (exc)
jonschlinkert picomatch From 4.0.0 (inc) to 4.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade picomatch to a fixed version: 4.0.4, 3.0.2, or 2.3.2 or later, depending on your release line.

If upgrading immediately is not possible, avoid passing untrusted or user-controlled glob patterns to picomatch.

  • Sanitize or reject glob patterns containing POSIX character classes like `[[:...:]]`.
  • Avoid using POSIX bracket expressions if user input is involved.

As a manual mitigation, patch the library by modifying the `POSIX_REGEX_SOURCE` object to use a null prototype to prevent method injection.

Executive Summary

The vulnerability exists in the Picomatch JavaScript library, which is used for glob pattern matching. In affected versions prior to 4.0.4, 3.0.2, and 2.3.2, a method injection vulnerability affects the POSIX_REGEX_SOURCE object. This object inherits from Object.prototype, allowing specially crafted POSIX bracket expressions (such as [[:constructor:]]) to reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression, causing incorrect glob matching behavior.

This means that patterns may match unintended filenames, leading to integrity issues in applications that rely on glob matching for filtering, validation, or access control. The vulnerability does not allow remote code execution but can cause security-relevant logic errors.

Impact Analysis

This vulnerability can impact applications that use the affected versions of Picomatch to process untrusted or user-controlled glob patterns. Because the vulnerability causes incorrect glob matching, it may result in unintended filenames being matched.

Such incorrect matching can lead to security-relevant logic errors, for example, bypassing filtering, validation, or access control mechanisms that depend on accurate glob matching. This can compromise the integrity of the application’s security controls.

Detection Guidance

This vulnerability affects specific versions of the picomatch JavaScript library (versions prior to 4.0.4, 3.0.2, and 2.3.2). Detection involves identifying if your system or application uses an affected version of picomatch.

Since this is a library vulnerability related to glob pattern matching, detection commands would focus on checking the installed picomatch version in your project or environment.

  • Run `npm list picomatch` in your project directory to see the installed version of picomatch.
  • Alternatively, check your package-lock.json or yarn.lock files for picomatch version entries.

There are no specific network or system commands to detect exploitation of this vulnerability because it does not involve network activity or remote code execution.

Compliance Impact

This vulnerability causes incorrect glob matching behavior, which can lead to security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.

While it does not enable remote code execution, the integrity impact could potentially affect compliance with standards and regulations that require strict data access controls and validation, such as GDPR and HIPAA.

Applications processing untrusted or user-controlled glob patterns may inadvertently allow unintended file matches, which could lead to unauthorized data exposure or improper access control enforcement.

Therefore, failure to address this vulnerability might result in non-compliance with regulations that mandate protecting sensitive data and ensuring proper access restrictions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart