CVE-2026-27904: minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

February 26, 2026

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

References

github.com/advisories/GHSA-23c5-xmqv-rm74
github.com/isaacs/minimatch
github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce
github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
nvd.nist.gov/vuln/detail/CVE-2026-27904

Code Behaviors & Features

Detect and mitigate CVE-2026-27904 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →