1. Home
  2. Vulnerabilities
  3. CVE-2026-27903
7.5
HIGH CVSS 3.1
CVE-2026-27903
minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
Overview
Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Details
INFO

Published Date :

Feb. 26, 2026, 2:16 a.m.

Last Modified :

Feb. 27, 2026, 5:21 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Impact
Affected Products

The following products are affected by CVE-2026-27903 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Minimatch_project minimatch
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
Solution
Update minimatch to a patched version to prevent denial-of-service via regex backtracking.
  • Update minimatch to version 10.2.3 or later.
  • Update minimatch to version 9.0.7 or later.
  • Update minimatch to version 8.0.6 or later.
  • Update minimatch to the latest patched version.
Public PoC/Exploit Available at Github

CVE-2026-27903 has a 6 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-27903.

URL Resource
https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj Exploit Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-27903 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-27903 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
MehdiZare/strapi-plugin-cloudflare-r2-assets

Strapi 5 upload provider for Cloudflare R2 with edge image resizing

TypeScript Shell JavaScript

Updated: 2 weeks, 6 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 27, 2026, 6 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
tao-lian/openclaw

None

Dockerfile

Updated: 1 day, 23 hours ago
1 stars 0 fork 0 watcher
Born at : Feb. 10, 2026, 8:23 p.m. This repo has been linked 11 different CVEs too.
Profile Photo
able-wong/docx-markdown-utils

Utilities for converting between DOCX and Markdown formats

JavaScript TypeScript HTML

Updated: 2 days, 15 hours ago
0 stars 0 fork 0 watcher
Born at : April 23, 2025, 3:50 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
huchukato/stemify-audio-splitter

🎵 AI-powered audio separation tool - Split any audio file into vocals, drums, bass, and other instruments using advanced machine learning. Built with React, Flask, and Facebook's Demucs v4 model.

ai audio-editor audio-processing audio-separation demucs flask machine-learning music machine-learning-projects music-composition react stem-separation

Python JavaScript HTML TypeScript CSS Shell Batchfile

Updated: 1 week, 6 days ago
7 stars 0 fork 0 watcher
Born at : Nov. 7, 2024, 11:21 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
runwhen-contrib/helm-charts

All Public RunWhen Helm Charts - Managed by terraform

Shell Dockerfile Go Template

Updated: 2 days, 9 hours ago
1 stars 0 fork 0 watcher
Born at : Sept. 18, 2023, 10:09 a.m. This repo has been linked 92 different CVEs too.
Profile Photo
heroyik/heroyik.github.io

Building at the edge of creativity 🎨 Code, 3D fashion, and AI-driven experiences living in one inclusive digital portfolio.

ai-apps investment language-learning portfolio woodworking 3d-fashion

HTML JavaScript Nunjucks CSS

Updated: 2 days, 6 hours ago
1 stars 0 fork 0 watcher
Born at : Nov. 18, 2020, 5:58 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-27903 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-27903 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Feb. 27, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 10.0.0 up to (excluding) 10.2.3 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 4.0.0 up to (excluding) 4.2.5 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 5.0.0 up to (excluding) 5.1.8 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 6.0.0 up to (excluding) 6.2.2 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 7.0.0 up to (excluding) 7.4.8 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 8.0.0 up to (excluding) 8.0.6 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions from (including) 9.0.0 up to (excluding) 9.0.7 *cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:* versions up to (excluding) 3.1.3
    Added Reference Type GitHub, Inc.: https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj Types: Exploit, Vendor Advisory
  • New CVE Received by [email protected]

    Feb. 26, 2026

    Action Type Old Value New Value
    Added Description minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-407
    Added Reference https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 7.5
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact