The vulnerability CVE-2026-27904 in the isaacs minimatch library stems from inefficient regular expression complexity (CWE-1333) caused by nested unbounded quantifiers generated from nested extglob patterns such as `*()` and `+()`. Minimatch converts glob expressions into JavaScript RegExp objects, but prior to versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested extglobs produce regex patterns with nested quantifiers like `(?:(?:a|b)*)*`. When these regexes are processed by the V8 engine, they cause catastrophic backtracking, severely degrading performance. For example, a 12-byte pattern `*(*(*(a|b)))` with an 18-byte non-matching input can cause minimatch() to stall for over 7 seconds, and adding more nesting or input length can extend this to minutes. This denial-of-service condition arises without requiring any special options or user interaction, making it trivially exploitable in environments where minimatch processes untrusted input. The issue is fixed in the specified patched versions. No known exploits have been observed in the wild, but the vulnerability poses a significant risk to applications relying on minimatch for pattern matching, especially in server-side JavaScript contexts or build tools.

This vulnerability can lead to denial-of-service (DoS) attacks by causing applications using vulnerable minimatch versions to hang or become unresponsive when processing crafted glob patterns. The impact is primarily on availability, as the CPU resources are consumed excessively due to catastrophic regex backtracking. This can disrupt services, degrade performance, and potentially cause cascading failures in systems that rely on minimatch for file matching, configuration parsing, or input validation. Since minimatch is widely used in Node.js ecosystems, including build tools, package managers, and server-side applications, the scope of affected systems is broad. Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying malicious input to affected APIs. Although no data confidentiality or integrity impact is reported, the availability impact can be severe, especially in high-load or critical environments.

The primary mitigation is to upgrade all instances of the minimatch library to the fixed versions: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4 and above. Organizations should audit their software dependencies to identify and update vulnerable minimatch versions. Additionally, implement input validation and sanitization to restrict or reject complex nested extglob patterns that could trigger catastrophic backtracking. Where possible, limit the size and complexity of glob patterns accepted from untrusted sources. Employ runtime monitoring to detect unusually high CPU usage or long processing times in pattern matching functions. Consider isolating or sandboxing components that perform glob matching to minimize impact on critical systems. Finally, maintain an inventory of software components and monitor for updates or patches related to minimatch and its dependent projects.