CVE-2026-27904 - Catastrophic Regex Backtracking in minimatch — Understanding the Danger, Code Example, and Mitigation

In March 2026, a severe vulnerability (CVE-2026-27904) was publicly disclosed involving the minimatch npm package. Minimatch is a tiny but essential library used to convert glob patterns (like **/*.js) into JavaScript regular expressions. If you’ve used tools like npm, ESLint, webpack, or gulp, odds are you or your dependencies rely on minimatch.

In this exclusive, simple-language guide, we break down the issue, show real impact with code, and help you protect your project.

What is the Problem? (Non-Technical Summary)

Before version 10.2.3 and a series of patch releases, minimatch had a bug where glob patterns using nested *() or +() extglobs could produce extremely slow regexes.
When certain complex patterns (e.g. *(*(*(a|b)))) are used, minimatch turns these into regular expressions that seriously choke on some non-matching input. Instead of failing fast, the JavaScript engine (like V8 in Node.js) tries millions of regex paths—a situation called catastrophic backtracking. For even very short patterns and inputs, this stalls your code for seconds or minutes, locking up your server or tool.

Exploit Details & Impact

Let’s see the actual behavior — you can try this on any project still using a vulnerable minimatch version (<10.2.3, <9..7, <8..6, <7.4.8, <6.2.2, <5.1.8, <4.2.5, or <3.1.4).

Exploit Code Example

const minimatch = require("minimatch");

const pattern = '*(*(*(a|b)))';    // Only 12 bytes!
const input = 'bbbbbbbbbbbbbbbbbb'; // 18 bytes, doesn't match the glob

console.time('minimatch');
const result = minimatch(input, pattern);
console.timeEnd('minimatch');

// Output: minimatch: 700.125ms

If you add another *( nesting (making the pattern even slightly longer), or just a few more characters in input, the processing time skyrockets into the minutes.

When minimatch translates extglobs like *(*(*(a|b))) into regex, it generates a pattern like

(?:(?:(?:(a|b)*)*)*)

This is an example of nested unbounded quantifiers: a so-called "star inside a star."
When regular expressions like this are fed non-matching input, the regex engine tries every possible way of breaking up the input, leading to millions of failed search paths before finally giving up. This is *catastrophic backtracking*, which can lock up your Node.js server or CLI tool, causing a server denial-of-service (DoS).

3.1.4

This includes direct users and all parent dependencies.
Since minimatch is a ubiquitous dependency, it’s likely present in some of your npm sub-dependencies, even if you don’t use it directly.

Upgrade minimatch.

Update to at least the fixed versions listed above. Most package managers (npm, yarn) will pick the latest version in your allowed range, but if your package-lock.json or yarn.lock is pinned to an old version, you must update and reinstall.

Check All Dependencies.

Use tools like npm ls minimatch to spot old versions, or run regular vulnerability scans with npm audit or Snyk.

Example: Forcing an Update in package.json

"resolutions": {
  "minimatch": "^10.2.3"
}

References & Official Disclosures

- minimatch Security Advisory
- NPMJS - minimatch package
- GitHub Advisory Database - CVE-2026-27904
- OWASP: Regular Expression Denial of Service (ReDoS)

Final Thoughts

Minimatch is everywhere in JavaScript projects — what looks like a niche issue is in reality a widespread risk for web servers, file tools, and dev environments.
All it takes is untrusted pattern input or accidental complex globs, and old minimatch versions become an easy target for DoS attacks.

Don’t wait: Make sure your project, and all its dependencies, are using safe minimatch versions today.

Timeline

Published on: 02/26/2026 01:07:42 UTC
Last modified on: 02/26/2026 02:16:21 UTC