CVE-2026-27904

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27904
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27904.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27904
Aliases
Downstream
Related
Published
2026-02-26T01:07:42.693Z
Modified
2026-03-03T02:56:53.968379Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27904.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1333"
    ]
}
References

Affected packages

Git / github.com/isaacs/minimatch

Affected ranges

Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
346685ced5203464bb10fd3d4dfa6964f6102ede
Fixed
ea94840326c3f40522f1b544bd2303024b0eec35
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.2.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
b95cb1e4404ce374e447b3b1bfde837e74f139bd
Fixed
2de496f6d9362dd92460f35ffa6ff8de2907244b
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.0.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
5d20578d5749f53f3413b7ca413e5658d6ab0d05
Fixed
a5f07f4b8de8a068e8fcafd44e7cafc2a8fe7be3
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
ce9e6a4b42eb8a4c39eff1258affa9d37c66101b
Fixed
6fcf01a77e8a85765609e41be089595a36989e07
Database specific 
{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
31f61eeaa6c4493f81bf5eb0a146f23e538fdfd7
Fixed
dc3340d6509d25d4bb75258e6d3b4403bb1cd9c3
Database specific 
{
    "versions": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
fc44f5f9123f534ecbf76af65558eb87d90f1028
Fixed
e92ae291a1e512f2d7ae13d6797b02315f68a40c
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.1.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
26d281dc585af91df47cb93844e227e0ee90b7ce
Fixed
5970751fa5886750886a59a20de834d54b4e2541
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.2.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/isaacs/minimatch
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1a2e084af579731af66c221214e3ca8222c9bf23
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.1.4"
        }
    ]
}

Affected versions

0.*
0.0.4
0.0.5
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
v0.*
v0.0.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.4.0
v1.*
v1.0.0
v10.*
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.2.0
v10.2.1
v10.2.2
v2.*
v2.0.0
v2.0.0-0
v2.0.1
v2.0.10
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v4.*
v4.0.0
v4.1.0
v4.1.1
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v5.*
v5.0.0
v5.0.1
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.5
v5.1.6
v5.1.7
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.1.0
v6.1.1
v6.1.10
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2.0
v6.2.1
v7.*
v7.0.0
v7.0.1
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.2.0
v7.3.0
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.4.6
v7.4.7
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27904.json"