Picomatch, a JavaScript glob matcher, suffers from a prototype pollution vulnerability (CWE-1321) in versions before 4.0.4, 3.0.2, and 2.3.2. The vulnerability involves method injection via the POSIX_REGEX_SOURCE object, which inherits from Object.prototype. Specially crafted POSIX bracket expressions like [[:constructor:]] can cause inherited methods to be converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior, potentially causing security logic errors in applications that rely on picomatch for filtering or access control. The vulnerability does not enable remote code execution. The issue is resolved in the specified fixed versions. Mitigations include upgrading, sanitizing or rejecting untrusted glob patterns containing POSIX character classes, avoiding POSIX bracket expressions with user input, or patching the library to use a null prototype for POSIX_REGEX_SOURCE.

The vulnerability impacts the integrity of glob matching by causing patterns to match unintended filenames. This can lead to security-relevant logic errors in applications that use picomatch for filtering, validation, or access control decisions. There is no impact on confidentiality or availability, and remote code execution is not possible. The issue primarily affects applications processing untrusted or user-controlled glob patterns.

A fix is available in picomatch versions 4.0.4, 3.0.2, and 2.3.2. Users should upgrade to one of these versions or later according to their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Additional mitigations include sanitizing or rejecting untrusted glob patterns containing POSIX character classes (e.g., [[:...:]]), avoiding the use of POSIX bracket expressions when user input is involved, or manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype. These mitigations reduce the risk of incorrect glob matching behavior caused by this vulnerability.