{"url":"http://public2.vulnerablecode.io/api/packages/74137?format=json","purl":"pkg:npm/minimatch@9.0.6","type":"npm","namespace":"","name":"minimatch","version":"9.0.6","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"9.0.7","latest_non_vulnerable_version":"10.2.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50239?format=json","vulnerability_id":"VCID-tu43-xaxs-uug8","summary":"minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern\n`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.\n\nThe time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.","references":[{"reference_url":"https://github.com/isaacs/minimatch","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/isaacs/minimatch"},{"reference_url":"https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26996","reference_id":"CVE-2026-26996","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26996"},{"reference_url":"https://github.com/advisories/GHSA-3ppc-4f35-3m26","reference_id":"GHSA-3ppc-4f35-3m26","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3ppc-4f35-3m26"},{"reference_url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26","reference_id":"GHSA-3ppc-4f35-3m26","reference_type":"","scores":[],"url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74143?format=json","purl":"pkg:npm/minimatch@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/74142?format=json","purl":"pkg:npm/minimatch@4.2.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@4.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/74141?format=json","purl":"pkg:npm/minimatch@5.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@5.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/74140?format=json","purl":"pkg:npm/minimatch@6.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@6.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/74139?format=json","purl":"pkg:npm/minimatch@7.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@7.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/74138?format=json","purl":"pkg:npm/minimatch@8.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@8.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/74137?format=json","purl":"pkg:npm/minimatch@9.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@9.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/74136?format=json","purl":"pkg:npm/minimatch@10.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@10.2.1"}],"aliases":["CVE-2026-26996","GHSA-3ppc-4f35-3m26"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tu43-xaxs-uug8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/minimatch@9.0.6"}