CVE-2026-27903

Name of the Vulnerable Software and Affected Versions minimatch versions prior to 3.1.3 minimatch versions 3.1.3 through 4.2.5 minimatch versions 4.2.5 through 5.1.8 minimatch versions 5.1.8 through 6.2.2 minimatch versions 6.2.2 through 7.4.8 minimatch versions 7.4.8 through 8.0.6 minimatch versions 8.0.6 through 9.0.7 minimatch versions 9.0.7 through 10.2.3

Description The minimatch software contains a flaw where the matchOne() function can experience unbounded recursive backtracking when processing glob patterns with multiple non-adjacent ** (GLOBSTAR) segments, particularly when the input path does not match the pattern. This can lead to a time complexity of O(C(n, k)), where n represents the number of path segments and k is the number of globstars. This issue can cause the Node.js event loop to stall for extended periods, potentially tens of seconds, with a pattern size of approximately 56 bytes. Applications vulnerable to this issue include build tools, task runners, multi-tenant systems, admin interfaces, and CI/CD pipelines that accept user-supplied glob arguments. An attacker who can control the glob pattern passed to minimatch() can exploit this flaw.

Recommendations Update to minimatch version 3.1.3 or later. Update to minimatch version 4.2.5 or later. Update to minimatch version 5.1.8 or later. Update to minimatch version 6.2.2 or later. Update to minimatch version 7.4.8 or later. Update to minimatch version 8.0.6 or later. Update to minimatch version 9.0.7 or later. Update to minimatch version 10.2.3 or later.