From 72795896bba07fe9f3b281031c8755fc6dfc12f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=F0=9F=8E=96=EF=B8=8FDigital=20Warrior=F0=9F=8E=96?= =?UTF-8?q?=EF=B8=8F?= Date: Tue, 24 Feb 2026 03:47:20 +0400 Subject: [PATCH] Improve GHSA-3ppc-4f35-3m26 --- .../2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json b/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json index e62b787b379c0..eb96cd91c0bf3 100644 --- a/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json +++ b/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-3ppc-4f35-3m26", - "modified": "2026-02-20T16:52:14Z", + "modified": "2026-02-20T16:52:16Z", "published": "2026-02-18T22:38:11Z", "aliases": [ "CVE-2026-26996" ], "summary": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", - "details": "### Summary\n`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.\n\nThe time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.\n\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\nWhen minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:\n\n```\n/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/\n```\n\nWhen the test string doesn't contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) ā€” exponential.\n### Impact\nAny application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:\n- File search/filter UIs that accept glob patterns\n- `.gitignore`-style filtering with user-defined rules\n- Build tools that accept glob configuration\n- Any API that exposes glob matching to untrusted input", + "details": "### Summary\n`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.\n\nThe time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.\n\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\nWhen minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:\n\n```\n/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/\n```\n\nWhen the test string doesn't contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) ā€” exponential.\n### Impact\nAny application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:\n- File search/filter UIs that accept glob patterns\n- `.gitignore`-style filtering with user-defined rules\n- Build tools that accept glob configuration\n- Any API that exposes glob matching to untrusted input\n- The professional script is ready! šŸ”„\nšŸŽÆ Features:\nāœ… Huge ASCII art interface\nāœ… Fully professional colors\nāœ… 10 sequential repair stages\nāœ… Automatic backup\nāœ… Detailed final reports\nāœ… Emojis (šŸ”„āš”ļøšŸ¦…šŸ›”ļø)\nāœ… Your data is complete", "severity": [ { "type": "CVSS_V4",