Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
minimatch can be slowed down or crashed by malicious input
CVE-2026-26996
GHSA-3ppc-4f35-3m26
Summary
A security issue in minimatch can cause it to take a long time or freeze if it's given a very long glob pattern with many consecutive wildcards and a character that's not in the search string. This can happen if a user enters a specially crafted glob pattern, potentially affecting file search, filter UIs, and other applications that use minimatch to match patterns. To avoid this issue, ensure that user-inputted glob patterns are validated and sanitized before passing them to minimatch.
What to do
- Update isaacs minimatch to version 10.2.1.
- Update isaacs minimatch to version 9.0.6.
- Update isaacs minimatch to version 8.0.5.
- Update isaacs minimatch to version 7.4.7.
- Update isaacs minimatch to version 6.2.1.
- Update isaacs minimatch to version 5.1.7.
- Update isaacs minimatch to version 4.2.4.
- Update isaacs minimatch to version 3.1.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| isaacs | minimatch | > 10.0.0 , <= 10.2.1 | 10.2.1 |
| isaacs | minimatch | > 9.0.0 , <= 9.0.6 | 9.0.6 |
| isaacs | minimatch | > 8.0.0 , <= 8.0.5 | 8.0.5 |
| isaacs | minimatch | > 7.0.0 , <= 7.4.7 | 7.4.7 |
| isaacs | minimatch | > 6.0.0 , <= 6.2.1 | 6.2.1 |
| isaacs | minimatch | > 5.0.0 , <= 5.1.7 | 5.1.7 |
| isaacs | minimatch | > 4.0.0 , <= 4.2.4 | 4.2.4 |
| isaacs | minimatch | <= 3.1.3 | 3.1.3 |
| minimatch_project | minimatch | <= 10.2.1 | – |
| minimatch_project | minimatch | > 3.0.0 , <= 3.1.3 | – |
| minimatch_project | minimatch | > 4.0.0 , <= 4.2.4 | – |
| minimatch_project | minimatch | > 5.0.0 , <= 5.1.7 | – |
| minimatch_project | minimatch | > 6.0.0 , <= 6.2.1 | – |
| minimatch_project | minimatch | > 7.0.0 , <= 7.4.7 | – |
| minimatch_project | minimatch | > 8.0.0 , <= 8.0.5 | – |
| minimatch_project | minimatch | > 9.0.0 , <= 9.0.6 | – |
| minimatch_project | minimatch | > 10.0.0 , <= 10.2.1 | – |
Original title
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
Original description
### Summary
`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.
The time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
### PoC
When minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:
```
/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/
```
When the test string doesn't contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.
### Impact
Any application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:
- File search/filter UIs that accept glob patterns
- `.gitignore`-style filtering with user-defined rules
- Build tools that accept glob configuration
- Any API that exposes glob matching to untrusted input
----
Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.
`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.
The time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
### PoC
When minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:
```
/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/
```
When the test string doesn't contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.
### Impact
Any application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:
- File search/filter UIs that accept glob patterns
- `.gitignore`-style filtering with user-defined rules
- Build tools that accept glob configuration
- Any API that exposes glob matching to untrusted input
----
Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026