ReDoS Vulnerability in Picomatch Library by Micromatch
CVE-2026-33671
Key Information:
- Vendor
Micromatch
- Status
- Vendor
- CVE Published:
- 26 March 2026
Badges
What is CVE-2026-33671?
The Picomatch library, used for glob pattern matching in JavaScript, is prone to a Regular Expression Denial of Service (ReDoS) attack when processing specially crafted extglob patterns. Specifically, versions before 4.0.4, 3.0.2, and 2.3.2 can become susceptible to catastrophic backtracking on complex non-matching inputs that utilize extglob quantifiers like +() and *(). This issue arises in environments where untrusted users can supply glob patterns to be processed by Picomatch, potentially leading to high CPU consumption and blocking the Node.js event loop, thereby causing a denial of service. Developers are advised to upgrade to the fixed versions or implement measures such as sanitizing glob patterns and applying strict allowlists to mitigate risks.
Affected Version(s)
picomatch >= 4.0.0, < 4.0.4 < 4.0.0, 4.0.4
picomatch >= 3.0.0, < 3.0.2 < 3.0.0, 3.0.2
picomatch < 2.3.2 < 2.3.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.