DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27904: The Infinite Loop of Doom: Unpacking CVE-2026-27904 in Minimatch

#security #cve #cybersecurity

The Infinite Loop of Doom: Unpacking CVE-2026-27904 in Minimatch

Vulnerability ID: CVE-2026-27904
CVSS Score: 7.5
Published: 2026-02-26

Minimatch, the ubiquitous JavaScript glob matcher that likely powers your entire build pipeline, has a nasty habit of choking on its own logic. A specifically crafted 'extglob' pattern can trick the library into generating a Regular Expression with catastrophic backtracking potential. This allows a remote attacker to freeze the Node.js event loop with a payload smaller than a tweet, turning your high-performance application into a very expensive paperweight.

TL;DR

A ReDoS vulnerability in minimatch allows attackers to cause a Denial of Service via nested extended glob patterns (e.g., *(*(*(a|b)))). This affects nearly all versions prior to Feb 2026. Update immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1333
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • EPSS Score: 0.0004
  • Exploit Status: PoC Available
  • Impact: Denial of Service

Affected Systems

  • Node.js Applications
  • Build Tools (Webpack, Gulp, Grunt)
  • Linting Tools (ESLint, Prettier)
  • File System Utilities (rimraf, glob)
  • minimatch: >= 10.0.0, < 10.2.3 (Fixed in: 10.2.3)
  • minimatch: >= 9.0.0, < 9.0.7 (Fixed in: 9.0.7)
  • minimatch: < 3.1.4 (Fixed in: 3.1.4)

Code Analysis

Commit: 11d0df6

Implementation of AST optimization and recursion limits

+ if (patternList.length === 1 && patternList[0] instanceof ExtGlob) {
+   // optimize *(+(a)) -> *(a)
+   this.patternList = patternList[0].patternList
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • PoC: 12-byte nested extglob pattern triggers exponential backtracking.

Mitigation Strategies

  • Input Validation: Restrict the length and complexity of glob patterns if they are user-supplied.
  • Library Update: This is the only robust fix.
  • Process Monitoring: Ensure strict timeouts on worker processes.

Remediation Steps:

  1. Identify your dependency tree: npm list minimatch
  2. Update to a fixed version based on your branch:
  3. - v10.x -> 10.2.3
  4. - v9.x -> 9.0.7
  5. - v8.x -> 8.0.6
  6. - v5.x -> 5.1.8
  7. - v3.x -> 3.1.4

References

Read the full report for CVE-2026-27904 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)