CVE-2026-33671

{"id": "CVE-2026-33671", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T22:16:30.210", "references": [{"url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns."}, {"lang": "es", "value": "Picomatch es un comparador de globs escrito en JavaScript. Las versiones anteriores a 4.0.4, 3.0.2 y 2.3.2 son vulnerables a la denegaci\u00f3n de servicio por expresi\u00f3n regular (ReDoS) al procesar patrones extglob manipulados. Ciertos patrones que utilizan cuantificadores extglob como '+()' y '*()', especialmente cuando se combinan con alternativas superpuestas o extglobs anidados, se compilan en expresiones regulares que pueden exhibir un retroceso catastr\u00f3fico en entradas no coincidentes. Las aplicaciones se ven afectadas cuando permiten a usuarios no confiables suministrar patrones glob que se pasan a 'picomatch' para su compilaci\u00f3n o coincidencia. En esos casos, un atacante puede causar un consumo excesivo de CPU y bloquear el bucle de eventos de Node.js, lo que resulta en una denegaci\u00f3n de servicio. Las aplicaciones que solo utilizan patrones glob confiables y controlados por el desarrollador son mucho menos propensas a estar expuestas de una manera relevante para la seguridad. Este problema se corrige en picomatch 4.0.4, 3.0.2 y 2.3.2. Los usuarios deben actualizar a una de estas versiones o posteriores, dependiendo de su l\u00ednea de lanzamiento compatible. Si la actualizaci\u00f3n no es posible de inmediato, evite pasar patrones glob no confiables a 'picomatch'. Las posibles mitigaciones incluyen deshabilitar el soporte de extglob para patrones no confiables usando 'noextglob: true', rechazar o sanear patrones que contengan extglobs anidados o cuantificadores extglob como '+()' y '*()', aplicar listas de permitidos estrictas para la sintaxis de patrones aceptada, ejecutar la coincidencia en un trabajador aislado o proceso separado con l\u00edmites de tiempo y recursos, y aplicar la limitaci\u00f3n de solicitudes a nivel de aplicaci\u00f3n y la validaci\u00f3n de entrada para cualquier punto final que acepte patrones glob."}], "lastModified": "2026-04-01T13:45:11.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6148465C-6A83-4B20-82ED-6A4716A9715A", "versionEndExcluding": "2.3.2"}, {"criteria": "cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9A206521-842F-4F49-8128-4A115190B763", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:jonschlinkert:picomatch:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "66F51752-C949-46F4-A543-43DD20B4A98B", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}