CVE-2026-27903: minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

February 26, 2026

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) – binomial – where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

References

github.com/advisories/GHSA-7r86-cg39-jmmj
github.com/isaacs/minimatch
github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748
github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
nvd.nist.gov/vuln/detail/CVE-2026-27903

Code Behaviors & Features

Detect and mitigate CVE-2026-27903 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →