{"ecosystem":"npm","package":"picomatch","version":null,"bugs":[{"id":208,"ecosystem":"npm","package_name":"picomatch","affected_version":"4.0.0","fixed_version":"4.0.4","bug_id":"osv:GHSA-c2c7-rcm5-vvqj","title":"Picomatch has a ReDoS vulnerability via extglob quantifiers","description":"### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj","labels":["CVE-2026-33671"],"created_at":"2026-04-19T04:30:37.395245+00:00","updated_at":"2026-04-19T04:30:37.395245+00:00"},{"id":212,"ecosystem":"npm","package_name":"picomatch","affected_version":null,"fixed_version":null,"bug_id":"github:2","title":"Relative patterns and paths with dot in the base name","description":"The `isMatch` method always returns `true` for files starting with a period if a relative path is used. The `dot` option has no effect here.\r\n\r\n```js\r\nconst picomatch = require('picomatch');\r\n\r\nconst isMatch = picomatch('../*.js');\r\nconst result = isMatch('../.test.js');\r\n\r\nconsole.log(result); // true\r\n```\r\n\r\nComparing behavior with micromatch:\r\n\r\n```js\r\nconst picomatch = require('picomatch');\r\nconst micromatch = require('micromatch');\r\n\r\nconst pico = picomatch('../*.js');\r\nconst micro = micromatch.isMatch('../.test.js', '../*.js');\r\n\r\nconsole.log(pico('../.test.js')); // true\r\nconsole.log(micro); // false Will be `true` with { dot: true }\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/micromatch/picomatch/issues/2","labels":["bug"],"created_at":"2026-04-19T04:30:38.227570+00:00","updated_at":"2026-04-19T04:30:38.227570+00:00"},{"id":211,"ecosystem":"npm","package_name":"picomatch","affected_version":null,"fixed_version":null,"bug_id":"github:8","title":"Incorrect matching with curly braces and globstar","description":"#### Source\r\n\r\n* mrmlnc/fast-glob#159\r\n\r\n#### Actual behavior\r\n\r\nThe following filepathes is not matched by `minimatch`, `micromatch` and `picomatch` for the `{file.txt,directory/**/*}` pattern.\r\n\r\n```\r\ndirectory/.test.txt\r\ndirectory/test.txt\r\n```\r\n\r\nBut if you remove the `/*` part of the pattern, everything works correctly.\r\n\r\n#### Expected behavior\r\n\r\nWill be matched or documented :)\r\n\r\n#### Code sample\r\n\r\nWorks fine:\r\n\r\n```js\r\npicomatch.makeRe('{file.txt,directory/**}', { dot: true });\r\n```\r\n\r\n* https://runkit.com/mrmlnc/5c6db74af4685d0012b8a037\r\n\r\nWorks bad:\r\n\r\n```js\r\npicomatch.makeRe('{file.txt,directory/**/*}', { dot: true });\r\n```\r\n\r\n* https://runkit.com/mrmlnc/5c6db7a2629c26001267cf8d","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/micromatch/picomatch/issues/8","labels":["bug"],"created_at":"2026-04-19T04:30:38.227020+00:00","updated_at":"2026-04-19T04:30:38.227020+00:00"},{"id":210,"ecosystem":"npm","package_name":"picomatch","affected_version":null,"fixed_version":null,"bug_id":"github:49","title":"Brace expansion matches single item","description":"According to the braces library, braces expansion should not match a single item like `{foo}`. However, picomatch does interpret this expression.\r\n\r\nbraces:\r\n\r\n```js\r\nbraces('{foo}')\r\n//=> ['{foo}']\r\n```\r\n\r\npicomatch:\r\n\r\n```js\r\npicomatch.parse('{foo}').output\r\n//=> '(foo)'\r\n```\r\n\r\nCompare that to when there are multiple items:\r\n\r\n```js\r\nbraces('{foo,bar}')\r\n//=> ['(foo|bar)']\r\npicomatch.parse('{foo,bar}').output\r\n//=> '(foo|bar)'\r\n```\r\n\r\nIt seems to me like the behavior should match in both cases.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/micromatch/picomatch/issues/49","labels":["bug"],"created_at":"2026-04-19T04:30:38.225969+00:00","updated_at":"2026-04-19T04:30:38.225969+00:00"},{"id":209,"ecosystem":"npm","package_name":"picomatch","affected_version":null,"fixed_version":null,"bug_id":"github:93","title":"Glob **/!(*-dbg).@(js) is wrongly translated into RegExp and thus DOES match -dbg.js files","description":"The Glob:\r\n\r\n```\r\n**/!(*-dbg).@(js)\r\n```\r\n\r\nWhich should match any `.js` files that do not end with `-dbg` is wrongly translated to:\r\n\r\n```\r\n^(?:(?:^|[\\\\/]|(?:(?:(?!(?:^|[\\\\/])\\.{1,2}(?:[\\\\/]|$)).)*?)[\\\\/])(?:(?!(?:[^\\\\/]*?-dbg).@(js))[^\\\\/]*?)\\.(js))$\r\n```\r\n\r\nPlease note how for the negative backreference, the glob pattern `.@(js)` is literally taking into the regex and is not translated into a regexp / excapted itself? Expected RegExp would have been:\r\n\r\n```\r\n^(?:(?:^|[\\\\/]|(?:(?:(?!(?:^|[\\\\/])\\.{1,2}(?:[\\\\/]|$)).)*?)[\\\\/])(?:(?!(?:[^\\\\/]*?-dbg)\\.(js))[^\\\\/]*?)\\.(js))$\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/micromatch/picomatch/issues/93","labels":["bug"],"created_at":"2026-04-19T04:30:38.224421+00:00","updated_at":"2026-04-19T04:30:38.224421+00:00"},{"id":207,"ecosystem":"npm","package_name":"picomatch","affected_version":"4.0.0","fixed_version":"4.0.4","bug_id":"osv:GHSA-3v7f-55p6-f55p","title":"Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching","description":"### Impact\npicomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.\n\nThis leads to **incorrect glob matching behavior (integrity impact)**, where patterns may match unintended filenames. The issue does **not enable remote code execution**, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.\n\nAll users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted.\n\n### Patches\n\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.\n\nPossible mitigations include:\n- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.\n- Avoiding the use of POSIX bracket expressions if user input is involved.\n- Manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype:\n\n  ```js\n  const POSIX_REGEX_SOURCE = {\n    __proto__: null,\n    alnum: 'a-zA-Z0-9',\n    alpha: 'a-zA-Z',\n    // ... rest unchanged\n  };\n  \n### Resources\n\n- fix for similar issue: https://github.com/micromatch/picomatch/pull/144\n- picomatch repository https://github.com/micromatch/picomatch","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p","labels":["CVE-2026-33672"],"created_at":"2026-04-19T04:30:37.394250+00:00","updated_at":"2026-04-19T04:30:37.394250+00:00"}],"total":6,"_cache":"miss"}