CVE-2026-27904

Name of the Vulnerable Software and Affected Versions minimatch versions prior to 10.2.3 minimatch versions prior to 9.0.7 minimatch versions prior to 8.0.6 minimatch versions prior to 7.4.8 minimatch versions prior to 6.2.2 minimatch versions prior to 5.1.8 minimatch versions prior to 4.2.5 minimatch versions prior to 3.1.4

Description The software is susceptible to catastrophic backtracking when processing certain glob expressions containing nested *() or +() extglobs. Specifically, regular expressions generated from these patterns can lead to excessive backtracking in V8, causing significant performance issues, including stalls lasting several seconds or even minutes. A 12-byte pattern like *(*(*(a|b))) with an 18-byte non-matching input can trigger this behavior. The issue occurs with the default minimatch() API without requiring special options.

Recommendations Update to minimatch version 10.2.3 or later. Update to minimatch version 9.0.7 or later. Update to minimatch version 8.0.6 or later. Update to minimatch version 7.4.8 or later. Update to minimatch version 6.2.2 or later. Update to minimatch version 5.1.8 or later. Update to minimatch version 4.2.5 or later. Update to minimatch version 3.1.4 or later.