CVE-2026-27904

CVE Details

Release Date:	2026-02-26
Impact:	Moderate	What is this?

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

See more information about CVE-2026-27904 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	6.5
Vector String:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	Required
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 10 (nodejs22)	ELSA-2026-7080	2026-04-08
Oracle Linux version 8 (nodejs)	ELSA-2026-7123	2026-04-09
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2026-7123	2026-04-09
Oracle Linux version 8 (nodejs-packaging)	ELSA-2026-7123	2026-04-09
Oracle Linux version 9 (nodejs)	ELSA-2026-7302	2026-04-10
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2026-7302	2026-04-10
Oracle Linux version 9 (nodejs-packaging)	ELSA-2026-7302	2026-04-10