Source: node-minimatch Version: 9.0.3-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-minimatch. CVE-2026-26996[0]: | minimatch is a minimal matching utility for converting glob | expressions into JavaScript RegExp objects. Versions 10.2.0 and | below are vulnerable to Regular Expression Denial of Service (ReDoS) | when a glob pattern contains many consecutive * wildcards followed | by a literal character that doesn't appear in the test string. Each | * compiles to a separate [^/]*? regex group, and when the match | fails, V8's regex engine backtracks exponentially across all | possible splits. The time complexity is O(4^N) where N is the number | of * characters. With N=15, a single minimatch() call takes ~2 | seconds. With N=34, it hangs effectively forever. Any application | that passes user-controlled strings to minimatch() as the pattern | argument is vulnerable to DoS. This issue has been fixed in version | 10.2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26996 https://www.cve.org/CVERecord?id=CVE-2026-26996 [1] https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 [2] https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
