CVE-2026-33671
Published: 26 March 2026
Summary
CVE-2026-33671 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Jonschlinkert Picomatch. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing vulnerable picomatch versions by mandating upgrades to fixed releases like 4.0.4.
SI-10 enforces information input validation, preventing crafted extglob patterns from being processed by picomatch through sanitization, allowlists, or rejection.
SC-5 provides denial-of-service protection via resource monitoring, limits, and mitigation, countering ReDoS-induced CPU exhaustion and Node.js event loop blocking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS enables remote DoS via crafted input to public-facing apps using the library (T1190 for initial exploitation vector) and directly maps to application/system exploitation causing resource exhaustion (T1499.004).
NVD Description
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when…
more
combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Deeper analysisAI
Picomatch, a JavaScript glob matcher library, is affected by CVE-2026-33671, a Regular Expression Denial of Service (ReDoS) vulnerability rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-1333. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable when processing crafted extglob patterns, such as those using quantifiers like +() and *() combined with overlapping alternatives or nested extglobs. These patterns compile into regular expressions that exhibit catastrophic backtracking on non-matching input, leading to excessive resource consumption.
An attacker can exploit this vulnerability in applications that accept untrusted user-supplied glob patterns and pass them to picomatch for compilation or matching. No privileges are required, enabling remote exploitation over the network with low complexity. Successful exploitation causes excessive CPU usage and blocks the Node.js event loop, resulting in denial of service. Applications using only trusted, developer-controlled patterns face lower risk.
The GitHub security advisory (GHSA-c2c7-rcm5-vvqj) and related commit recommend upgrading to picomatch 4.0.4, 3.0.2, or 2.3.2 or later, based on the supported release line. If upgrading is not feasible, mitigations include avoiding untrusted glob patterns, disabling extglob support with the noextglob: true option, rejecting or sanitizing patterns with nested extglobs or quantifiers like +() and *(), enforcing strict allowlists for pattern syntax, isolating matching in workers or separate processes with resource limits, and applying request throttling plus input validation for glob-accepting endpoints.
Details
- CWE(s)