CVE-2026-33671 Overview
CVE-2026-33671 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Picomatch, a popular JavaScript glob matcher library. The vulnerability exists in versions prior to 4.0.4, 3.0.2, and 2.3.2, where crafted extglob patterns can trigger catastrophic backtracking in the compiled regular expressions, leading to denial of service conditions.
Critical Impact
Attackers can exploit this vulnerability to cause excessive CPU consumption and block the Node.js event loop by supplying malicious glob patterns, resulting in application-wide denial of service.
Affected Products
- Picomatch versions prior to 4.0.4
- Picomatch versions prior to 3.0.2
- Picomatch versions prior to 2.3.2
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33671 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33671
Vulnerability Analysis
This vulnerability stems from inefficient regular expression handling in Picomatch's extglob pattern compilation. When processing certain extglob patterns that contain quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, the library compiles these into regular expressions susceptible to catastrophic backtracking.
The core issue is a classic ReDoS scenario (CWE-1333) where the regex engine's backtracking behavior becomes exponentially complex on non-matching input strings. Applications that expose glob pattern compilation to untrusted user input are particularly vulnerable, as an attacker can craft patterns that cause the Node.js event loop to become blocked during regex evaluation.
Root Cause
The root cause is the compilation of user-supplied extglob patterns into regular expressions without adequate safeguards against patterns that can exhibit exponential time complexity. The recursive nature of nested extglobs combined with quantifiers creates regex patterns where the number of possible matching paths grows exponentially with input length.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by submitting crafted glob patterns to any application endpoint that passes user-supplied patterns to Picomatch for compilation or matching. The patterns specifically target the extglob syntax with constructs like +(pattern) and *(pattern) that, when nested or combined with overlapping alternatives, produce regex patterns vulnerable to catastrophic backtracking.
const WIN_SLASH = '\\\\\\\\/';\n const WIN_NO_SLASH = `[^${WIN_SLASH}]`;\n \n+const DEFAULT_MAX_EXTGLOB_RECURSION = 0;\n+\n /**\n * Posix glob regex\n */
Source: GitHub Commit Log
The security patch introduces a DEFAULT_MAX_EXTGLOB_RECURSION constant set to 0, which limits the depth of extglob recursion to prevent the construction of exponentially complex regular expressions.
Detection Methods for CVE-2026-33671
Indicators of Compromise
- Abnormally high CPU utilization in Node.js processes handling glob pattern matching
- Application timeouts or unresponsiveness in endpoints that accept glob patterns
- Blocked event loops causing cascading failures in Node.js applications
- Error logs indicating regex evaluation timeouts or process hangs
Detection Strategies
- Monitor for requests containing deeply nested extglob patterns such as +(), *(), @(), !(), or ?()
- Implement regex complexity analysis on incoming glob patterns before passing to Picomatch
- Set up application performance monitoring to detect sudden CPU spikes during pattern matching operations
- Audit dependencies using npm audit or similar tools to identify vulnerable Picomatch versions
Monitoring Recommendations
- Deploy Node.js process monitoring to track event loop lag and CPU utilization
- Implement request-level timeouts for endpoints that accept and process glob patterns
- Configure alerting thresholds for abnormal regex evaluation times
- Monitor application logs for patterns indicative of ReDoS attempts
How to Mitigate CVE-2026-33671
Immediate Actions Required
- Upgrade Picomatch to version 4.0.4, 3.0.2, or 2.3.2 depending on your supported release line
- Audit application code to identify all locations where user-supplied input is passed to Picomatch
- Implement input validation to reject or sanitize glob patterns containing nested extglobs or extglob quantifiers
- Consider running glob matching operations in isolated workers or separate processes with time limits
Patch Information
The vulnerability has been patched in Picomatch versions 4.0.4, 3.0.2, and 2.3.2. The fix introduces recursion limits for extglob pattern processing. Users should upgrade to the appropriate patched version for their release line. For detailed patch information, see the GitHub Security Advisory and the security commit.
Workarounds
- Disable extglob support for untrusted patterns by setting noextglob: true in Picomatch options
- Enforce strict allowlists for accepted pattern syntax in user-facing endpoints
- Apply application-level request throttling and input validation for endpoints accepting glob patterns
- Run pattern matching in isolated worker threads or separate processes with resource limits
# Update picomatch to patched version
npm update picomatch@latest
# Or install specific patched version
npm install picomatch@4.0.4
# Audit for vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
