Picomatch is a widely used JavaScript library for glob pattern matching, integral to many Node.js applications and tools that rely on pattern matching for file system operations or input filtering. CVE-2026-33671 identifies a vulnerability in picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2, where certain crafted extglob patterns cause inefficient regular expression compilation. Specifically, patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, generate regular expressions prone to catastrophic backtracking. When picomatch processes these malicious patterns, the resulting regex engine consumes excessive CPU cycles, blocking the Node.js event loop and causing denial of service. This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The attack vector requires that an attacker can supply untrusted glob patterns to picomatch, which is common in applications that accept user input for pattern matching. Applications using only developer-controlled patterns are less vulnerable. The vulnerability has a CVSS v3.1 score of 7.5 (high severity), reflecting its network attack vector, low complexity, no privileges or user interaction required, and impact on availability only. No public exploits have been reported yet. The issue is fixed in picomatch versions 4.0.4, 3.0.2, and 2.3.2. Until upgrading is feasible, mitigations include disabling extglob support for untrusted inputs, sanitizing or rejecting patterns with nested extglobs or quantifiers, enforcing strict allowlists on pattern syntax, isolating matching operations in separate processes with resource limits, and applying application-level input validation and request throttling.

The primary impact of this vulnerability is denial of service due to excessive CPU consumption and blocking of the Node.js event loop. This can degrade or completely halt the availability of applications relying on picomatch for glob pattern matching, especially those exposed to untrusted user input. Services such as web servers, build tools, file watchers, or any Node.js-based system that processes user-supplied glob patterns can be disrupted. The vulnerability does not affect confidentiality or integrity but can cause significant operational disruption and potential downtime. Large-scale or automated attacks could lead to widespread service outages, impacting business continuity and user experience. Organizations relying on picomatch in critical infrastructure or high-availability environments face increased risk. The lack of authentication or user interaction requirements makes exploitation easier in exposed contexts. However, applications that restrict glob patterns to trusted sources are less vulnerable. No known exploits in the wild reduce immediate risk but do not eliminate the threat.

1. Upgrade picomatch to version 4.0.4, 3.0.2, or 2.3.2 or later as soon as possible to apply the official fix. 2. If upgrading is not immediately possible, configure picomatch with the option `noextglob: true` to disable extglob support for untrusted inputs, preventing vulnerable pattern compilation. 3. Implement strict input validation by rejecting or sanitizing glob patterns containing nested extglobs or quantifiers such as +() and *(). 4. Enforce allowlists that restrict accepted glob pattern syntax to safe subsets, minimizing exposure to crafted patterns. 5. Run glob matching operations in isolated worker threads or separate processes with enforced CPU time and memory limits to contain potential resource exhaustion. 6. Apply application-level request throttling and rate limiting on endpoints accepting glob patterns to reduce attack surface and impact. 7. Monitor application performance and logs for signs of excessive CPU usage or event loop blocking indicative of attempted exploitation. 8. Educate developers and security teams about the risks of processing untrusted glob patterns and encourage secure coding practices around pattern matching.