CVE Vulnerabilities

CVE-2026-27904

Inefficient Regular Expression Complexity

Published: Feb 26, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
MinimatchMinimatch_project*3.1.4 (excluding)
MinimatchMinimatch_project4.0.0 (including)4.2.5 (excluding)
MinimatchMinimatch_project5.0.0 (including)5.1.8 (excluding)
MinimatchMinimatch_project6.0.0 (including)6.2.2 (excluding)
MinimatchMinimatch_project7.0.0 (including)7.4.8 (excluding)
MinimatchMinimatch_project8.0.0 (including)8.0.6 (excluding)
MinimatchMinimatch_project9.0.0 (including)9.0.7 (excluding)
MinimatchMinimatch_project10.0.0 (including)10.2.3 (excluding)
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatautomation-gateway-0:2.5.20260422-3.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatautomation-gateway-0:2.5.20260422-3.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatautomation-platform-ui-0:2.6.7-1.el9ap*
Red Hat Enterprise Linux 10RedHatnodejs22-1:22.22.2-1.el10_1*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatnodejs22-1:22.22.2-2.el10_0*
Red Hat Enterprise Linux 8RedHatnodejs:22-8100020260331102257.6d880403*
Red Hat Enterprise Linux 8RedHatnodejs:20-8100020260414073138.489197e6*
Red Hat Enterprise Linux 9RedHatnodejs:22-9070020260401095228.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:20-9070020260409073121.rhel9*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatnodejs:20-9040020260421133644.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnodejs:22-9060020260409121057.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnodejs:20-9060020260422064119.rhel9*
Red Hat JBoss Enterprise Application Platform 8.1RedHatio.hawt-project*
Red Hat JBoss Enterprise Application Platform 8.1RedHatorg.jboss.hal-hal-parent*
Red Hat JBoss Enterprise Application Platform 8.1RedHatorg.keycloak-keycloak-parent*
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8RedHateap8-hal-console-0:3.7.19-1.Final_redhat_00001.1.el8eap*
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9RedHateap8-hal-console-0:3.7.19-1.Final_redhat_00001.1.el9eap*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-hub-rhel9:1776784286*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1777903262*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1776257621*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9:1776413275*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9:1776336652*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:1776319193*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9:1776319213*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9:1776319275*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/code-rhel9:1779814592*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/openvsx-rhel9:1779528224*
Red Hat Quay 3.10RedHatquay/quay-rhel8:1773971077*
Red Hat Quay 3.12RedHatquay/quay-rhel8:1773771962*
Red Hat Quay 3.15RedHatquay/quay-rhel8:1775169219*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1775069491*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1775169226*
Red Hat Quay 3.9RedHatquay/quay-rhel8:1773936323*
Red Hat Satellite 6.18RedHatsatellite/iop-advisor-frontend-rhel9:1781181673*
Red Hat Satellite 6.18RedHatsatellite/iop-vulnerability-frontend-rhel9:1781032495*
Node-minimatchUbuntuesm-apps/xenial*
Node-minimatchUbuntuquesting*

Potential Mitigations

References