You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.
Details
The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:
These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.
The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.
Measured times via minimatch():
Pattern
Input
Time
*(*(a|b))
a x30 + z
~68,000ms
*(*(*(a|b)))
a x20 + z
~124,000ms
*(*(*(*(a|b))))
a x25 + z
~116,000ms
*(a|a)
a x25 + z
~2,000ms
Depth inflection at fixed input a x16 + z:
Depth
Pattern
Time
1
*(a|b)
0ms
2
*(*(a|b))
4ms
3
*(*(*(a|b)))
270ms
4
*(*(*(*(a|b))))
115,000ms
Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.
PoC
Tested on minimatch@10.2.2, Node.js 20.
Step 1 -- verify the generated regexps and timing (standalone script)
Save as poc4-validate.mjs and run with node poc4-validate.mjs:
[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false
The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.
Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.
Impact
Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.
Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.
+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).
Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.
Affected component
The vulnerability is in pkg:npm/minimatch@10.2.2, found in artifacts pkg:oci/devguard-documentation?repository_url=ghcr.io/l3montree-dev/devguard-documentation&arch=amd64&tag=main-amd64, pkg:oci/l3montree-cybersecurity/devguard/devguard-documentation.
Recommended fix
Upgrade to version 10.2.3 or later.
# Update all vulnerable npm packages
npm audit fix
# Update only this package
npm install minimatch@10.2.3
Additional guidance for mitigating vulnerabilities
The vulnerability is in a direct dependency of your project.
EPSS
0.47 %
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
EXPLOIT
Not available
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
CVSS-BE
7.5
- Exploiting this vulnerability significantly impacts availability.
CVSS-B
7.5
- The vulnerability can be exploited over the network without needing physical access. - It is easy for an attacker to exploit this vulnerability. - An attacker does not need any special privileges or access rights. - No user interaction is needed for the attacker to exploit this vulnerability. - The impact is confined to the system where the vulnerability exists. - There is a high impact on the availability of the system.
GHSA-23c5-xmqv-rm74 found in npm/minimatch@10.2.2
Important
Risk:
3.46 (Low)CVSS:
7.5Description
Summary
Nested
*()extglobs produce regexps with nested unbounded quantifiers (e.g.(?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern*(*(*(a|b)))and an 18-byte non-matching input,minimatch()stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the defaultminimatch()API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects+()extglobs equally.Details
The root cause is in
AST.toRegExpSource()atsrc/ast.ts#L598. For the*extglob type, the close token emitted is)*or)?, wrapping the recursive body in(?:...)*. When extglobs are nested, each level adds another*quantifier around the previous group:This produces the following regexps:
*(a|b)/^(?:a|b)*$/*(*(a|b))/^(?:(?:a|b)*)*$/*(*(*(a|b)))/^(?:(?:(?:a|b)*)*)*$/*(*(*(*(a|b))))/^(?:(?:(?:(?:a|b)*)*)*)*$/These are textbook nested-quantifier patterns. Against an input of repeated
acharacters followed by a non-matching characterz, V8's backtracking engine explores an exponential number of paths before returningfalse.The generated regex is stored on
this.setand evaluated insidematchOne()atsrc/index.ts#L1010viap.test(f). It is reached through the standardminimatch()call with no configuration.Measured times via
minimatch():*(*(a|b))ax30 +z*(*(*(a|b)))ax20 +z*(*(*(*(a|b))))ax25 +z*(a|a)ax25 +zDepth inflection at fixed input
ax16 +z:*(a|b)*(*(a|b))*(*(*(a|b)))*(*(*(*(a|b))))Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.
PoC
Tested on minimatch@10.2.2, Node.js 20.
Step 1 -- verify the generated regexps and timing (standalone script)
Save as
poc4-validate.mjsand run withnode poc4-validate.mjs:Observed output:
Step 2 -- HTTP server (event loop starvation proof)
Save as
poc4-server.mjs:Terminal 1 -- start the server:
Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:
Terminal 3 -- send a benign request while the attack is in-flight:
Observed output -- Terminal 2 (attack):
Observed output -- Terminal 3 (benign, concurrent):
Terminal 1 (server log):
The server reports
"ms":"0"for the benign request -- the legitimate request itself requires no CPU time. The entire 63-secondtime_totalis time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.
Impact
Any context where an attacker can influence the glob pattern passed to
minimatch()is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.Depth 3 (
*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.+()extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).Mitigation available: passing
{ noext: true }tominimatch()disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.Affected component
The vulnerability is in
pkg:npm/minimatch@10.2.2, found in artifactspkg:oci/devguard-documentation?repository_url=ghcr.io/l3montree-dev/devguard-documentation&arch=amd64&tag=main-amd64,pkg:oci/l3montree-cybersecurity/devguard/devguard-documentation.Recommended fix
Upgrade to version 10.2.3 or later.
Additional guidance for mitigating vulnerabilities
Visit our guides on devguard.org
See more details...
Path to component
%%{init: { 'theme':'base', 'themeVariables': { 'primaryColor': '#F3F3F3', 'primaryTextColor': '#0D1117', 'primaryBorderColor': '#999999', 'lineColor': '#999999', 'secondaryColor': '#ffffff', 'tertiaryColor': '#ffffff' } }}%% flowchart TD Your_application(["Your application"]) --- pkg_npm_minimatch_10_2_2(["pkg:npm/minimatch\@10.2.2"]) classDef default stroke-width:2px10.47 %Not available7.57.5- It is easy for an attacker to exploit this vulnerability.
- An attacker does not need any special privileges or access rights.
- No user interaction is needed for the attacker to exploit this vulnerability.
- The impact is confined to the system where the vulnerability exists.
- There is a high impact on the availability of the system.
More details can be found in DevGuard
Interact with this vulnerability
You can use the following slash commands to interact with this vulnerability:
👍 Reply with this to acknowledge and accept the identified risk.
🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.