minimatch, ReDoS, CVE-2026-26996 (HIGH)

Listen to this Post

The vulnerability CVE-2026-26996 resides in the `minimatch` library, a utility for converting glob patterns (like .js) into JavaScript Regular Expressions. Versions 10.2.0 and below are susceptible to a Regular Expression Denial of Service (ReDoS) attack. The flaw is triggered when a glob pattern containing a long sequence of consecutive wildcards is followed by a literal character that does not exist in the target string. During compilation, each is transformed into a `[^/]?` regex group. When the pattern fails to find the literal character, V8’s regex engine attempts to backtrack exponentially across all possible ways the input string could be split among the numerous groups. This backtracking results in a time complexity of O(4^N), where N is the number of characters. For instance, a pattern with 15 consecutive characters can cause a `minimatch()` call to take approximately 2 seconds, while a pattern with 34 characters can cause the application to hang indefinitely. Any application that allows user-controlled input to be passed as the pattern argument to `minimatch` is vulnerable to this DoS condition. The issue has been addressed in version 10.2.1 by altering the regex compilation to prevent this catastrophic backtracking .

dailycve form:

Platform: Node.js/npm
Version: <=10.2.0
Vulnerability : Regular Expression DoS
Severity: HIGH
date: 2026-02-19

Prediction: Patch already available

What Undercode Say:

Analytics:

Check installed minimatch version in a project
npm list minimatch
Check which projects depend on minimatch
npm ls minimatch
Simulate the vulnerable pattern (if using vulnerable version)
This command will hang for a long time with N=34
node -e "const minimatch = require('minimatch'); minimatch('anything', 'X');"
Identify if a lockfile contains the vulnerable version
grep -E 'minimatch@10.[0-2].[0-9]' package-lock.json || grep -E 'minimatch@10.[0-2].[0-9]' yarn.lock

How Exploit:

An attacker would provide a maliciously crafted glob pattern as input to an application using a vulnerable `minimatch` version. The pattern consists of many consecutive “ characters followed by a literal character that is known to be absent. For example, X. When the application calls `minimatch()` with this pattern and any arbitrary string, the process will consume excessive CPU resources attempting to backtrack, effectively freezing the application .

Protection from this CVE:

Update to the patched version immediately
npm install [email protected] --save
Or the latest version
npm install minimatch@latest --save
If you cannot update immediately, implement input validation
to reject patterns with an excessive number of consecutive ''
characters. A safe pattern length limit should be enforced.

Impact:

A remote, unauthenticated attacker can cause the Node.js application to become unresponsive by sending a single, specially crafted request. This leads to a complete denial of service for all users, affecting the availability of the application without any impact on confidentiality or integrity . This is particularly critical for services that expose file searching or pattern-matching functionality to the internet.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top