CVE-2026-27904
Published: 26 February 2026
Summary
CVE-2026-27904 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Minimatch Project Minimatch. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables ReDoS via malicious glob input triggering catastrophic backtracking, directly mapping to application exploitation for endpoint DoS (T1499.004).
NVD Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic…
more
backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Deeper analysisAI
CVE-2026-27904 is a denial-of-service vulnerability in the minimatch JavaScript library, a minimal utility for converting glob expressions into RegExp objects. The issue affects multiple version branches prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4. It arises from nested `*()` or `+()` extglobs generating regexps with nested unbounded quantifiers, such as `(?:(?:a|b)*)*`, which trigger catastrophic backtracking in the V8 JavaScript engine. A minimal 12-byte pattern like `*(*(*(a|b)))` paired with an 18-byte non-matching input causes minimatch() to stall for over 7 seconds, with deeper nesting or longer inputs escalating to minutes of CPU exhaustion.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required, and high availability impact. Any unauthenticated attacker who can supply a malicious glob pattern to the default minimatch() API—without special options—can induce severe performance degradation or complete hangs in affected applications. This includes Node.js projects or web apps using minimatch for file path matching, package resolution, or similar glob-based operations.
The GitHub security advisory (GHSA-23c5-xmqv-rm74) recommends upgrading to the fixed versions: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4, which address the nested quantifier issue in extglob handling. No workarounds are specified beyond updating, as the flaw is triggered by standard API usage.
Details
- CWE(s)