Skip to content

[Aikido] Fix security issue in minimatch via minor version upgrade from 9.0.3 to 9.0.7#22

Merged
daniel-vdp merged 1 commit into
mainfrom
fix/aikido-security-update-packages-17830319-v1sa
Mar 5, 2026
Merged

[Aikido] Fix security issue in minimatch via minor version upgrade from 9.0.3 to 9.0.7#22
daniel-vdp merged 1 commit into
mainfrom
fix/aikido-security-update-packages-17830319-v1sa

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

Upgrade minimatch to fix critical DoS vulnerabilities: unbounded regex backtracking in globstar patterns, consecutive wildcards, and nested extglobs causing event loop stalls.

✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-27903
HIGH
[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-26996
LOW
[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27904
LOW
[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.

@aikido-autofix aikido-autofix Bot requested a review from daniel-vdp as a code owner March 2, 2026 03:03
@daniel-vdp daniel-vdp merged commit 6fe752b into main Mar 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant