DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27903: Minimatch Mayhem: How Two Asterisks Can Kill Your Node.js Server

#security #cve #cybersecurity

Minimatch Mayhem: How Two Asterisks Can Kill Your Node.js Server

Vulnerability ID: CVE-2026-27903
CVSS Score: 7.5
Published: 2026-02-26

A high-severity Regular Expression Denial of Service (ReDoS) vulnerability exists in the popular minimatch library, affecting millions of Node.js projects. The flaw lies in the inefficient recursive handling of GLOBSTAR (**) patterns, allowing attackers to trigger combinatorial backtracking that stalls the event loop.

TL;DR

The minimatch library, used by virtually every Node.js tool chain, contains a ReDoS flaw in how it handles the ** (globstar) syntax. By supplying a crafted pattern with multiple non-adjacent ** segments, an attacker can force the matching engine into an exponential backtracking loop, freezing the Node.js process instantly. Patches are available across all major version lines.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-407 (Inefficient Algorithmic Complexity)
  • Attack Vector: Network
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC Available
  • Affected Component: matchOne() function in src/index.ts

Affected Systems

  • Node.js applications using minimatch
  • ESLint
  • Babel
  • Angular CLI
  • Webpack configurations
  • VS Code extensions
  • minimatch: < 3.1.3 (Fixed in: 3.1.3)
  • minimatch: >= 9.0.0, < 9.0.7 (Fixed in: 9.0.7)
  • minimatch: >= 10.0.0, < 10.2.3 (Fixed in: 10.2.3)

Code Analysis

Commit: 0bf499a

fix: backtracking optimization and recursion limits

@@ -150,7 +150,20 @@ ... +    if (globStarDepth > maxGlobstarRecursion) return false
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Dependency Auditing
  • Input Validation
  • Resource Limits

Remediation Steps:

  1. Run npm list minimatch to identify vulnerable versions in your dependency tree.
  2. Update minimatch to a patched version (e.g., 9.0.7, 10.2.3) matching your major version requirement.
  3. If direct update is impossible, use overrides or resolutions in package.json to force the use of patched versions.
  4. Sanitize user input to restrict the number of ** segments allowed in glob patterns.

References

Read the full report for CVE-2026-27903 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)