The vulnerability CVE-2026-27904 affects the isaacs minimatch library, widely used in JavaScript environments to convert glob patterns into regular expressions for pattern matching. The root cause is inefficient regular expression complexity due to nested extglob constructs such as `*()` and `+()`. These constructs produce regex patterns with nested unbounded quantifiers (e.g., `(?:(?:a|b)*)*`), which cause catastrophic backtracking in the V8 JavaScript engine when processing certain inputs. This backtracking leads to excessive CPU consumption and significant delays, effectively causing a denial of service (DoS) condition. For example, a 12-byte pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching input can cause the minimatch function to stall for over 7 seconds, with longer inputs or deeper nesting increasing the delay to minutes. The vulnerability is triggered by the default minimatch API without requiring any special options, making it easy to exploit. Affected versions span multiple major releases, including all versions before 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4. The issue is classified under CWE-1333 (Inefficient Regular Expression Complexity). No known exploits have been reported in the wild, but the potential for denial of service is significant. The patch releases address this by correcting the regex generation to avoid nested unbounded quantifiers.

This vulnerability can cause denial of service by making applications that use minimatch stall or become unresponsive due to excessive CPU usage triggered by crafted glob patterns. Since minimatch is commonly used in Node.js projects, build tools, package managers, and other JavaScript-based systems, this can impact a wide range of applications and services. Attackers can exploit this remotely without authentication or user interaction by supplying malicious input to any interface that uses minimatch for pattern matching. The impact is limited to availability, with no direct confidentiality or integrity compromise. However, denial of service can disrupt critical development pipelines, CI/CD systems, web servers, or any service relying on minimatch for pattern matching. The broad usage of minimatch in open-source and enterprise environments increases the risk of widespread disruption if unpatched. The lack of known exploits suggests the threat is currently theoretical but should be addressed promptly to prevent future abuse.

The primary mitigation is to upgrade minimatch to the fixed versions: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, or 3.1.4 or later. Projects should audit their dependencies to identify and update any packages that rely on vulnerable minimatch versions. If immediate upgrade is not possible, consider implementing input validation or sanitization to reject or limit nested extglob patterns such as `*()` and `+()` that can trigger the vulnerability. Rate limiting and resource usage monitoring can help detect and mitigate denial of service attempts. Developers should avoid exposing interfaces that accept arbitrary glob patterns from untrusted sources. Additionally, consider using alternative glob matching libraries that do not exhibit this regex complexity issue if upgrading is not feasible. Continuous monitoring for unusual CPU spikes or application stalls can help detect exploitation attempts.