CVE-2026-27903 – This vulnerability in minimatch allows attacker... (How to Fix)

Q: What is the severity of CVE-2026-27903?

CVE-2026-27903 has a CVSS score of 7.5 (HIGH). This vulnerability in minimatch allows attackers to cause denial of service by crafting glob patterns with multiple non-adjacent ** segments, causing unbounded recursive backtracking that stalls the Node.js event loop for tens of seconds. Any application where attackers can influence glob patterns passed to minimatch is vulnerable, including build tools, task runners, multi-tenant systems, and CI/CD pipelines.

📋 TL;DR

This vulnerability in minimatch allows attackers to cause denial of service by crafting glob patterns with multiple non-adjacent ** segments, causing unbounded recursive backtracking that stalls the Node.js event loop for tens of seconds. Any application where attackers can influence glob patterns passed to minimatch is vulnerable, including build tools, task runners, multi-tenant systems, and CI/CD pipelines.

💻 Affected Systems

Products:

minimatch
Any Node.js application using minimatch including ESLint, Webpack, Rollup, and other build tools/task runners

Versions: All versions before 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when using the minimatch() API with crafted patterns containing multiple non-adjacent ** segments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service in Node.js applications with event loop blocking for minutes or longer, potentially causing service outages and resource exhaustion.

🟠

Likely Case

Temporary service degradation with 5-15 second stalls per malicious request, impacting performance and availability of affected applications.

🟢

If Mitigated

Minimal impact with proper input validation and updated versions preventing the recursive backtracking behavior.

🌐 Internet-Facing: HIGH - Many vulnerable applications accept user input for glob patterns in public interfaces like CI/CD pipelines and build configurations.

🏢 Internal Only: MEDIUM - Internal tools and admin interfaces may be vulnerable if they accept glob patterns from authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires only 56-byte crafted pattern and works without authentication in contexts where pattern input is part of normal functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 depending on your version line

Vendor Advisory: https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj

Restart Required: Yes

Instructions:

1. Identify minimatch version in package.json or package-lock.json. 2. Update to patched version: npm update minimatch@latest or specify exact patched version. 3. Restart all Node.js applications using minimatch. 4. Verify update with npm list minimatch.

🔧 Temporary Workarounds

Input validation for glob patterns

all

Validate and sanitize user-supplied glob patterns to reject patterns with excessive ** segments before passing to minimatch.

Rate limiting and timeout enforcement

all

Implement request timeouts and rate limiting on endpoints that accept glob patterns to prevent prolonged blocking.

🧯 If You Can't Patch

Implement strict input validation to reject glob patterns with multiple non-adjacent ** segments
Isolate vulnerable components in separate processes with resource limits and automatic restart on timeout

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list minimatch | grep minimatch

Check Version:

npm list minimatch | grep minimatch

Verify Fix Applied:

Verify installed version is 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 or higher with: npm list minimatch

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for glob pattern matching
Event loop blocking warnings in Node.js logs
Timeout errors in applications using minimatch

Network Indicators:

Increased response times for endpoints accepting glob patterns
Connection timeouts on affected services

SIEM Query:

search for 'minimatch' AND ('timeout' OR 'blocking' OR 'slow') in application logs

📊 Metadata

CVE ID: CVE-2026-27903

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-407

Published: February 26, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27903, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

Minimatch by Minimatch Project

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation for glob patterns

Rate limiting and timeout enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities