CVE-2026-33671

Name of the Vulnerable Software and Affected Versions Picomatch versions prior to 4.0.4 Picomatch versions prior to 3.0.2 Picomatch versions prior to 2.3.2

Description Picomatch, a glob matcher written in JavaScript, is susceptible to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Specific patterns utilizing extglob quantifiers like +() and *(), particularly when combined with overlapping alternatives or nested extglobs, can be compiled into regular expressions that exhibit catastrophic backtracking on non-matching input. Applications allowing untrusted users to supply glob patterns to picomatch for compilation or matching are at risk. An attacker can potentially cause excessive CPU consumption and disrupt the Node.js event loop, leading to a denial of service. Applications using only trusted, developer-controlled glob patterns are less likely to be affected.

Recommendations Versions prior to 4.0.4: Upgrade to version 4.0.4 or later. Versions prior to 3.0.2: Upgrade to version 3.0.2 or later. Versions prior to 2.3.2: Upgrade to version 2.3.2 or later. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Disable extglob support for untrusted patterns by using noextglob: true. Reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *(). Enforce strict allowlists for accepted pattern syntax. Run matching in an isolated worker or separate process with time and resource limits. Apply application-level request throttling and input validation for any endpoint that accepts glob patterns.