{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/redos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["picomatch","ReDoS","denial-of-service","extglob"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe picomatch library is susceptible to a Regular Expression Denial of Service (ReDoS) attack when processing maliciously crafted extended glob (extglob) patterns. This vulnerability arises from inefficient regular expression generation when handling patterns that include extglob quantifiers like \u003ccode\u003e+()\u003c/code\u003e and \u003ccode\u003e*()\u003c/code\u003e, especially when these are combined with overlapping alternatives or nested extglobs. The flawed regex compilation can lead to catastrophic backtracking when processing non-matching input strings. Problematic patterns include examples like \u003ccode\u003e+(a|aa)\u003c/code\u003e, \u003ccode\u003e+(*|?)\u003c/code\u003e, \u003ccode\u003e+(+(a))\u003c/code\u003e, \u003ccode\u003e*(+(a))\u003c/code\u003e, and \u003ccode\u003e+(+(+(a)))\u003c/code\u003e. The issue affects picomatch versions before 4.0.4, 3.0.2, and 2.3.2. Applications that permit untrusted users to supply glob patterns to picomatch are at risk, potentially causing a denial-of-service condition due to excessive CPU usage and event loop blocking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application that utilizes the picomatch library to process user-supplied glob patterns.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious glob pattern containing nested extglobs or extglob quantifiers such as \u003ccode\u003e+(a|aa)\u003c/code\u003e or \u003ccode\u003e+(+(a))\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious glob pattern to the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-supplied glob pattern to the \u003ccode\u003epicomatch\u003c/code\u003e library for compilation or matching.\u003c/li\u003e\n\u003cli\u003ePicomatch compiles the malicious glob pattern into an inefficient regular expression.\u003c/li\u003e\n\u003cli\u003eWhen matching the compiled regex against an input string, catastrophic backtracking occurs due to the regex complexity.\u003c/li\u003e\n\u003cli\u003eCPU consumption spikes as the regex engine struggles to process the input, blocking the Node.js event loop.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive, leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this ReDoS vulnerability in picomatch can lead to significant denial-of-service conditions. While the number of affected applications is unknown, any application utilizing picomatch to process untrusted glob patterns is potentially vulnerable. The impact includes excessive CPU consumption, event loop blocking in Node.js applications, and potential service outages, causing disruption and impacting availability. Local testing has shown multi-second delays with short inputs, demonstrating the severity of the issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to picomatch version 4.0.4, 3.0.2, or 2.3.2, or a later version depending on the supported release line to patch CVE-2026-33671.\u003c/li\u003e\n\u003cli\u003eImplement input validation on any endpoint that accepts glob patterns to reject or sanitize patterns containing nested extglobs or extglob quantifiers such as \u003ccode\u003e+()\u003c/code\u003e and \u003ccode\u003e*()\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eDisable extglob support for untrusted patterns by using \u003ccode\u003enoextglob: true\u003c/code\u003e as mentioned in the workarounds section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T21:13:29Z","date_published":"2026-03-25T21:13:29Z","id":"/briefs/2026-04-picomatch-redos/","summary":"Picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns with quantifiers, leading to excessive CPU consumption and denial of service.","title":"Picomatch ReDoS Vulnerability via Extglob Quantifiers","url":"https://feed.craftedsignal.io/briefs/2026-04-picomatch-redos/"}],"language":"en","title":"CraftedSignal Threat Feed — ReDoS","version":"https://jsonfeed.org/version/1.1"}