CVE-2026-27904 Overview
CVE-2026-27904 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting minimatch, a widely-used Node.js utility for converting glob expressions into JavaScript RegExp objects. The vulnerability allows attackers to cause catastrophic backtracking in V8's regular expression engine through specially crafted nested extglob patterns, leading to severe application hangs and denial of service conditions.
Critical Impact
A minimal 12-byte malicious pattern combined with an 18-byte non-matching input can stall applications for over 7 seconds, with additional nesting or input characters extending this to minutes of CPU exhaustion.
Affected Products
- minimatch versions prior to 10.2.3
- minimatch versions prior to 9.0.7, 8.0.6, 7.4.8
- minimatch versions prior to 6.2.2, 5.1.8, 4.2.5, 3.1.4
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27904 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27904
Vulnerability Analysis
This vulnerability stems from CWE-1333 (Inefficient Regular Expression Complexity), a weakness category that describes regular expressions susceptible to catastrophic backtracking. When minimatch processes nested *() or +() extglob patterns, it generates regular expressions containing nested unbounded quantifiers such as (?:(?:a|b)*)*. These patterns cause the V8 JavaScript engine to enter an exponential backtracking state when attempting to match certain non-matching inputs.
The vulnerability is particularly dangerous because it affects the default minimatch() API with no special options required. The minimum viable attack pattern is only 12 bytes (*(*(*(a|b)))), making exploitation trivially easy for attackers. This low barrier to entry combined with the severe performance impact makes this a significant denial of service vector for any application utilizing minimatch for glob pattern matching.
Root Cause
The root cause lies in how minimatch translates nested extglob quantifiers into JavaScript regular expressions. The *() and +() extglob constructs map to regex quantifiers that, when nested, create patterns with exponential time complexity. When the regex engine encounters these patterns with non-matching input, it attempts all possible matching combinations before concluding failure, resulting in catastrophic backtracking behavior that consumes excessive CPU resources.
Attack Vector
The attack exploits minimatch's glob-to-regex conversion by providing a crafted glob pattern containing nested quantifiers. An attacker can trigger this vulnerability through any application feature that accepts user-supplied glob patterns processed by minimatch.
The exploitation mechanism involves supplying a nested extglob pattern like *(*(*(a|b))) along with a carefully crafted non-matching input string. The regex engine's backtracking behavior causes CPU exhaustion, with processing time growing exponentially as nesting depth or input length increases. A simple 12-byte pattern with 18-byte input demonstrates 7+ seconds of blocking time, while slightly larger inputs can extend this to minutes, effectively freezing the application.
Detection Methods for CVE-2026-27904
Indicators of Compromise
- Abnormally high CPU utilization in Node.js processes handling pattern matching operations
- Application threads becoming unresponsive when processing glob patterns
- Increased latency or timeouts in services utilizing minimatch for file matching
- Log entries showing extended processing times for pattern evaluation operations
Detection Strategies
- Monitor for incoming requests containing nested extglob patterns (*(, +() in user-supplied input fields
- Implement application performance monitoring (APM) to detect sudden CPU spikes correlated with pattern matching operations
- Use dependency scanning tools to identify vulnerable minimatch versions in your application dependencies
- Deploy runtime protection that can detect and terminate excessive regex evaluation time
Monitoring Recommendations
- Configure alerts for CPU usage thresholds on services utilizing minimatch
- Implement request timeout monitoring for endpoints that process glob patterns
- Review application logs for patterns indicating extended regex evaluation
- Monitor package dependency updates for minimatch security patches
How to Mitigate CVE-2026-27904
Immediate Actions Required
- Update minimatch to a patched version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4
- Audit applications to identify all direct and transitive dependencies on minimatch
- Implement input validation to reject or sanitize glob patterns containing nested extglob constructs
- Consider implementing timeouts for pattern matching operations as a defense-in-depth measure
Patch Information
Fixed versions have been released across all maintained branches. Refer to the GitHub Security Advisory for detailed patch information and upgrade guidance. The patches address the nested quantifier issue by modifying how extglob patterns are converted to regular expressions, preventing the generation of exponentially complex regex patterns.
Workarounds
- Implement input validation to reject glob patterns with nested *() or +() constructs
- Apply request timeouts to limit the impact of potential ReDoS attacks
- Use allowlists for acceptable glob patterns rather than accepting arbitrary user input
- Consider wrapping minimatch calls with timeout protection using worker threads
# Update minimatch to patched version
npm update minimatch
# Or install a specific patched version
npm install minimatch@10.2.3
# Check installed version
npm list minimatch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
