CVE-2026-33672 Overview
CVE-2026-33672 is a method injection vulnerability in Picomatch, a popular glob matcher library written in JavaScript. The vulnerability affects the POSIX_REGEX_SOURCE object, which inherits from Object.prototype, allowing specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) to reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression, leading to incorrect glob matching behavior.
Critical Impact
This vulnerability enables security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. Attackers can craft malicious glob patterns that cause unintended filename matches, potentially bypassing security controls.
Affected Products
- Picomatch versions prior to 4.0.4
- Picomatch versions prior to 3.0.2
- Picomatch versions prior to 2.3.2
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33672 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33672
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. The issue stems from the POSIX_REGEX_SOURCE object in Picomatch not using a null prototype, allowing it to inherit properties from Object.prototype.
When processing POSIX character class expressions like [[:alnum:]], the library looks up the class name (e.g., "alnum") as a property on POSIX_REGEX_SOURCE. However, because this object inherits from Object.prototype, attackers can supply class names that correspond to inherited methods such as constructor, toString, or hasOwnProperty.
When these inherited methods are accessed, they are implicitly converted to strings (producing values like "function Object() { [native code] }") and injected directly into the generated regular expression. This corrupts the regex pattern and causes incorrect matching behavior.
Root Cause
The root cause is the absence of a null prototype on the POSIX_REGEX_SOURCE object. Without __proto__: null, the object inherits all standard JavaScript object methods, creating an unintended lookup path for malicious input. This is a common prototype pollution pattern in JavaScript applications where objects are used as dictionaries without proper prototype chain isolation.
Attack Vector
The attack can be conducted over the network by any unauthenticated user who can supply glob patterns to an application using vulnerable Picomatch versions. The attacker crafts a malicious POSIX bracket expression that references an inherited Object.prototype method name:
- Attacker identifies an application accepting user-controlled glob patterns
- Attacker submits a glob pattern containing [[:constructor:]] or similar inherited property names
- Picomatch looks up "constructor" in POSIX_REGEX_SOURCE, finding it on Object.prototype
- The constructor function is converted to string and injected into the regex
- The corrupted regex produces incorrect matching results, potentially bypassing security filters
While this does not enable remote code execution, it can cause applications to make incorrect security decisions based on faulty glob matching results.
*/
const POSIX_REGEX_SOURCE = {
+ __proto__: null,
alnum: 'a-zA-Z0-9',
alpha: 'a-zA-Z',
ascii: '\\\x00-\\\x7F',
Source: GitHub Commit Update
The fix adds __proto__: null to the POSIX_REGEX_SOURCE object, preventing it from inheriting properties from Object.prototype and ensuring only explicitly defined POSIX character classes are accessible.
Detection Methods for CVE-2026-33672
Indicators of Compromise
- Unusual glob patterns in application logs containing POSIX bracket expressions like [[:constructor:]], [[:toString:]], or [[:hasOwnProperty:]]
- Unexpected file access patterns where glob-based filters fail to properly restrict or match files
- Error messages or regex exceptions related to malformed regular expressions in glob matching operations
Detection Strategies
- Audit application dependencies using npm audit, yarn audit, or similar package scanning tools to identify vulnerable Picomatch versions
- Implement input validation to detect and reject glob patterns containing suspicious POSIX bracket expressions referencing JavaScript prototype methods
- Review application logs for anomalous glob pattern submissions that deviate from expected usage patterns
Monitoring Recommendations
- Configure application logging to capture all user-supplied glob patterns for forensic analysis
- Set up alerts for regex compilation errors or unexpected matching behavior in glob-based security controls
- Monitor Software Composition Analysis (SCA) tools for vulnerable dependency alerts
How to Mitigate CVE-2026-33672
Immediate Actions Required
- Upgrade Picomatch to version 4.0.4, 3.0.2, or 2.3.2 or later depending on your supported release line
- Audit applications to identify all locations where user-controlled input is passed to Picomatch glob matching functions
- Implement input validation to sanitize or reject untrusted glob patterns, especially those containing POSIX character classes
Patch Information
The vulnerability has been fixed in Picomatch versions 4.0.4, 3.0.2, and 2.3.2. The fix modifies the POSIX_REGEX_SOURCE object to use a null prototype (__proto__: null), preventing inherited method lookups from Object.prototype. For detailed patch information, see the GitHub Security Advisory GHSA-3v7f-55p6-f55p and the security commit.
Workarounds
- Avoid passing untrusted or user-controlled glob patterns directly to Picomatch
- Sanitize glob patterns by rejecting or escaping POSIX bracket expressions matching the pattern [[:...:]]
- Manually patch the library by modifying POSIX_REGEX_SOURCE to use a null prototype if upgrading is not immediately possible
# Configuration example - Update picomatch in package.json
npm update picomatch@4.0.4
# Or for specific version lines:
npm install picomatch@3.0.2
npm install picomatch@2.3.2
# Verify the installed version
npm list picomatch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
