CVE-2026-33672

Name of the Vulnerable Software and Affected Versions Picomatch versions prior to 4.0.4 Picomatch versions prior to 3.0.2 Picomatch versions prior to 2.3.2

Description Picomatch, a JavaScript glob matcher, contains a flaw where specially crafted POSIX bracket expressions, such as [[:constructor:]], can inject inherited method names into generated regular expressions due to the POSIX REGEX SOURCE object inheriting from Object.prototype. This results in incorrect glob matching, potentially causing security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. The issue does not allow for remote code execution. The vulnerability affects users of affected picomatch versions processing untrusted or user-controlled glob patterns.

Recommendations Versions prior to 4.0.4 should be upgraded to version 4.0.4 or later. Versions prior to 3.0.2 should be upgraded to version 3.0.2 or later. Versions prior to 2.3.2 should be upgraded to version 2.3.2 or later. If upgrading is not immediately possible, avoid passing untrusted glob patterns to Picomatch. Sanitize or reject untrusted glob patterns, especially those containing POSIX character classes like [[:...:]]. Avoid using POSIX bracket expressions if user input is involved. Manually patch the library by modifying POSIX REGEX SOURCE to use a null prototype.