The vulnerability CVE-2026-27903 affects the isaacs minimatch library, widely used in JavaScript environments to convert glob expressions into RegExp objects. The core issue lies in the matchOne() function's handling of glob patterns containing multiple non-adjacent GLOBSTAR (**) segments. When such patterns are processed against input paths that do not match, the function executes unbounded recursive backtracking without memoization or bounding mechanisms, resulting in a combinatorial explosion of recursive calls. The time complexity is binomial, O(C(n,k)), where n is the number of path segments and k is the number of globstars. For example, with k=11 and n=30, the function stalls for approximately 5 seconds; with k=13, it exceeds 15 seconds. This inefficiency can be exploited by attackers who can influence the glob pattern input, causing denial-of-service by stalling the Node.js event loop. The attack surface includes developer tools like ESLint, Webpack, Rollup, multi-tenant systems sharing processes, admin interfaces accepting glob-based filters, and CI/CD pipelines evaluating user-submitted configurations. The vulnerability affects multiple versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3. The CVSS v3.1 score is 7.5 (high severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability. No known exploits are reported in the wild yet. The issue is fixed in the specified patched versions.

This vulnerability can cause denial-of-service conditions by stalling the Node.js event loop for several seconds per invocation of minimatch with crafted glob patterns. For organizations, this can lead to degraded performance or complete service outages in critical development and deployment pipelines, especially those relying on JavaScript-based build tools, task runners, or CI/CD systems that accept user-supplied glob patterns. Multi-tenant environments are particularly at risk, as one tenant's malicious input can impact others sharing the same process. The inability to process glob patterns efficiently can delay builds, linting, bundling, or deployment tasks, causing operational disruptions and potential cascading failures in automated workflows. Although no confidentiality or integrity impacts are present, the availability impact is significant. The ease of exploitation without authentication or user interaction increases the risk, especially in publicly accessible or shared environments.

Organizations should immediately upgrade minimatch to the fixed versions: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 depending on their current version. Where upgrading is not immediately feasible, implement input validation to restrict or sanitize glob patterns, specifically limiting the number and placement of GLOBSTAR (**) segments to prevent triggering the exponential backtracking. Employ runtime monitoring to detect unusually long processing times in build or CI/CD tasks that use minimatch. In multi-tenant systems, isolate tenant processes to prevent a single tenant's malicious pattern from impacting others. Consider rate limiting or sandboxing user-supplied glob pattern evaluations. Additionally, review and audit all tools and pipelines that utilize minimatch to identify potential exposure. Finally, maintain awareness of updates from the minimatch project and related dependencies to promptly apply future security patches.