The Infinite Loop of Doom: Unpacking CVE-2026-27904 in Minimatch

If you write JavaScript, you use minimatch. You might not know it, but you do. It's the engine under the hood of glob, which is under the hood of rimraf, eslint, and pretty much every build tool in existence. Its job is simple: take a shell-style wildcard string (like src/**/*.js) and turn it into a Regular Expression that JavaScript's V8 engine can understand.

But here's the thing about translating logic languages: it's really easy to accidentally create a monster. In CVE-2026-27904, the monster is hiding in 'extglobs'—extended glob patterns like *(pattern) (zero or more) or +(pattern) (one or more).

The vulnerability is a classic case of "it seemed like a good idea at the time." The library allowed users to nest these patterns indefinitely. And when you nest patterns that represent unbounded repetition, you aren't just creating a complex regex; you are creating a mathematical black hole.

To understand why this breaks, we have to look at how minimatch translates these globs. When you provide a pattern like *(a|b), minimatch converts it into a regex equivalent to (a|b)*. That's fine. V8 can handle that while sleeping.

The problem arises when you get recursive. A pattern like *(*(*(a|b))) is translated into a regex structure resembling ((((a|b)*)*)*).

> [!WARNING] > Catastrophic Backtracking Alert: In a backtracking regex engine, nested quantifiers are deadly. If the engine fails to find a match (e.g., on a string of aaaa... ending in z), it tries to backtrack and rearrange how the inner groups matched the characters.

With three levels of nesting, the complexity is manageable. But the complexity grows exponentially. A 12-byte pattern combined with an 18-byte input string is enough to stall the single-threaded Node.js event loop for over 7 seconds. Add a few more characters, and the sun will explode before your server sends a response.

The fix, implemented in commit 11d0df6 (and others), is a masterclass in pragmatic optimization. The maintainers realized that mathematically, *(*(pattern)) is redundant. It essentially asks for "zero or more of (zero or more of pattern)". That is logically identical to just "zero or more of pattern".

To fix this, they introduced an optimization pass that flattens these nested structures before they ever become regexes. They verify if a parent extglob can "adopt" a child extglob.

Here is the logic in a nutshell:

// Conceptual logic of the fix
if (this.type === '*' && child.type === '*') {
  // *(*(a)) becomes *(a)
  this.patternList = child.patternList;
}

Furthermore, they added a hard stop. A new maxExtglobRecursion limit (defaulting to 2) prevents the parser from going down the rabbit hole. If a pattern nests deeper than that and cannot be flattened, minimatch now simply refuses to treat it as a glob, interpreting the characters literally. It’s the coding equivalent of a parent saying, "Because I said so."

Exploiting this is embarrassingly easy. You don't need heap spraying or ROP chains. You just need an input field that accepts a glob pattern. This could be a file search feature, a .gitignore parser, or a route config.

Here is the Proof of Concept (PoC) that kills the process:

const { minimatch } = require('minimatch');
 
// The payload: deeply nested, redundant wildcards
const pattern = "*(*(*(a|b)))"; 
 
// The trigger: A string that almost matches, but fails at the end
const input = "a".repeat(25) + "z"; 
 
console.log("Starting match...");
console.time('death');
 
// This line effectively freezes the process
minimatch(input, pattern);
 
console.timeEnd('death');

If you run this on a vulnerable version (e.g., v9.0.0), your terminal will hang. If this were a web server, every other request would be queued behind this operation, causing a complete denial of service.

You might be thinking, "Who lets users type raw glob patterns?" You'd be surprised.

1. SaaS Build Tools: CI/CD pipelines often allow users to define artifacts using globs in YAML files. An attacker could stall the build runners.
2. Linting Services: Online code analysis tools often use minimatch to exclude files.
3. Search Filters: Advanced search APIs often support wildcard syntax that gets passed directly to these libraries.

Because Node.js is single-threaded, a ReDoS is not just a slow request—it is a total service outage. The CPU hits 100%, the event loop blocks, and health checks fail. Kubernetes will likely kill and restart the pod, but if the attack is persistent or part of a config file, the service enters a crash loop.