The vulnerability CVE-2026-27903 affects the isaacs minimatch library, widely used in JavaScript environments to convert glob expressions into RegExp objects. The core issue lies in the matchOne() function's handling of glob patterns containing multiple non-adjacent GLOBSTAR (**) segments. When such patterns are evaluated against input paths that do not match, the function engages in unbounded recursive backtracking without memoization or any mechanism to limit recursion depth or call budget. This results in a binomial time complexity O(C(n, k)), where n is the number of path segments and k is the number of globstars. For example, with k=11 and n=30, the function stalls for approximately 5 seconds, and with k=13, it exceeds 15 seconds. This inefficiency can be exploited by attackers who can influence the glob pattern input to cause denial-of-service by stalling the Node.js event loop. The attack surface includes build tools and task runners (e.g., ESLint, Webpack, Rollup) that accept user-supplied glob arguments, multi-tenant systems where tenants configure glob-based rules executed in shared processes, administrative or developer interfaces accepting glob-based ignore or filter rules, and CI/CD pipelines processing user-submitted configuration files containing glob patterns. The crafted pattern required to trigger the stall is relatively short (56 bytes) and does not require authentication in contexts where pattern input is a feature. The vulnerability affects multiple minimatch versions prior to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, all of which should be updated to fixed versions. The CVSS 3.1 score of 7.5 reflects a high severity due to the potential for remote, unauthenticated denial-of-service impacting availability without compromising confidentiality or integrity. No known exploits are reported in the wild yet, but the ease of exploitation and broad usage of minimatch in JavaScript tooling make this a significant threat.

The primary impact of CVE-2026-27903 is denial-of-service (DoS) through event loop stalling in Node.js applications using vulnerable minimatch versions. This can degrade or halt services relying on glob pattern matching, including build systems, task runners, multi-tenant platforms, developer/admin interfaces, and CI/CD pipelines. The stalling can cause significant delays (several seconds per invocation), potentially leading to cascading failures, resource exhaustion, and degraded user experience. In multi-tenant or shared environments, one malicious tenant can disrupt service for others. Since the vulnerability does not affect confidentiality or integrity, the main concern is availability. The ease of exploitation without authentication or user interaction in many contexts increases the risk of automated or targeted DoS attacks. Organizations relying heavily on JavaScript tooling and Node.js infrastructure are particularly vulnerable, potentially impacting development workflows, deployment pipelines, and operational stability.

To mitigate CVE-2026-27903, organizations should immediately upgrade all instances of the minimatch library to the fixed versions: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.3 or later. Review and audit all build tools, task runners, CI/CD pipelines, and multi-tenant systems to identify where user-supplied glob patterns are accepted and processed. Implement input validation and sanitization to restrict or reject glob patterns containing multiple non-adjacent GLOBSTAR segments or overly complex patterns that could trigger exponential backtracking. Where feasible, isolate glob pattern processing in separate processes or containers to limit impact on critical services. Monitor application performance and logs for unusual delays or stalls indicative of exploitation attempts. Consider implementing rate limiting or throttling on interfaces accepting glob patterns to reduce attack surface. Engage with upstream tool maintainers to ensure dependencies are updated and patched. Finally, educate developers and administrators about the risks of accepting untrusted glob patterns and encourage secure configuration practices.