CVE-2026-33671
Picomatch has a ReDoS vulnerability via extglob quantifiers
Description
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
INFO
Published Date :
March 26, 2026, 10:16 p.m.
Last Modified :
April 1, 2026, 1:45 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | MITRE-CVE |
Solution
- Upgrade picomatch to version 4.0.4 or later.
- If upgrading is not possible, disable extglob support.
- Sanitize untrusted glob patterns before use.
- Run matching in a separate, resource-limited process.
Public PoC/Exploit Available at Github
CVE-2026-33671 has a 6 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-33671.
| URL | Resource |
|---|---|
| https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d | Patch |
| https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj | Patch Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-33671 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-33671
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Minimal repro for Next.js 16.2.4 bundling picomatch 4.0.3 (CVE-2026-33671)
Dockerfile TypeScript JavaScript
None
Java Shell Batchfile Dockerfile HTML JavaScript TypeScript CSS EJS SCSS
DevSecOps Process Tracker
Dockerfile TypeScript CSS JavaScript HTML
None
TypeScript PLpgSQL HTML JavaScript CSS Batchfile Nix Shell
None
Dockerfile
All Public RunWhen Helm Charts - Managed by terraform
Shell Dockerfile Go Template
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-33671 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-33671 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 01, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:* versions up to (excluding) 2.3.2 *cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:* versions from (including) 3.0.0 up to (excluding) 3.0.2 *cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:* versions from (including) 4.0.0 up to (excluding) 4.0.4 Added Reference Type GitHub, Inc.: https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d Types: Patch Added Reference Type GitHub, Inc.: https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj Types: Patch, Vendor Advisory -
New CVE Received by [email protected]
Mar. 26, 2026
Action Type Old Value New Value Added Description Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-1333 Added Reference https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d Added Reference https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj