CVE-2026-26996

Name of the Vulnerable Software and Affected Versions minimatch versions 10.2.0 and below

Description The software is susceptible to Regular Expression Denial of Service (ReDoS) when processing glob patterns containing numerous consecutive * wildcards followed by a literal character absent from the input string. Each * translates into a separate [^/]*? regex group, causing exponential backtracking in V8's regex engine upon match failure. The time complexity escalates to O(4^N), where N represents the number of * characters. A single call to minimatch() can take approximately 2 seconds with N=15 and effectively hang with N=34. Applications utilizing user-supplied strings as pattern arguments for the minimatch() function are vulnerable to Denial of Service.

Recommendations Update to version 10.2.1 or later.