Picomatch is a JavaScript library used for glob pattern matching, commonly employed in file filtering and validation tasks. Versions before 4.0.4, 3.0.2, and 2.3.2 contain a vulnerability classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), also known as prototype pollution. The vulnerability stems from the handling of the POSIX_REGEX_SOURCE object, which inherits from Object.prototype. Attackers can craft malicious POSIX bracket expressions such as `[[:constructor:]]` that reference inherited method names. These methods are implicitly converted to strings and injected into the regular expressions generated by picomatch, causing the glob matcher to behave incorrectly. This results in integrity issues where patterns may match unintended filenames, potentially bypassing security controls that depend on accurate glob matching for filtering or access control. Although this flaw does not allow remote code execution or denial of service, it can lead to security-relevant logic errors in applications processing untrusted glob patterns. The vulnerability affects all users of vulnerable picomatch versions who accept user-controlled input for glob matching. The issue is fixed in picomatch versions 4.0.4, 3.0.2, and 2.3.2. If immediate upgrading is not feasible, users should sanitize or reject untrusted glob patterns, especially those containing POSIX character classes, avoid using POSIX bracket expressions with user input, or patch the library by modifying POSIX_REGEX_SOURCE to have a null prototype, preventing prototype pollution. The CVSS 3.1 score is 5.3, indicating a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.

The primary impact of this vulnerability is on the integrity of applications relying on picomatch for glob pattern matching. Incorrect matching can cause security logic errors, such as bypassing filename filters, validation checks, or access control mechanisms that depend on precise glob matching. This can lead to unauthorized access to files or resources, exposure of sensitive data, or execution of unintended operations based on incorrect pattern matches. Since the vulnerability does not allow remote code execution or denial of service, the impact is limited to logical errors rather than system compromise or service disruption. Organizations using picomatch in environments processing untrusted or user-supplied glob patterns are at risk. This includes web applications, build tools, deployment scripts, and any software that filters or validates file paths using picomatch. The medium CVSS score reflects a moderate risk level, but the actual impact depends on the context of usage and the sensitivity of the filtered data or resources.

1. Upgrade picomatch to version 4.0.4, 3.0.2, 2.3.2, or later, depending on the supported release line, to apply the official fix. 2. If upgrading is not immediately possible, sanitize or reject untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`. Implement strict input validation to prevent malicious bracket expressions. 3. Avoid using POSIX bracket expressions in glob patterns derived from user input to eliminate the attack vector. 4. Consider patching the picomatch library locally by modifying the POSIX_REGEX_SOURCE object to have a null prototype, preventing prototype pollution. 5. Review application logic relying on glob matching for filtering or access control to detect and mitigate potential bypasses. 6. Implement additional layers of validation or access control independent of glob matching results to reduce risk. 7. Monitor for unusual file access patterns or unexpected matches that could indicate exploitation attempts. 8. Educate developers about the risks of prototype pollution and secure handling of user input in pattern matching contexts.