[Pkg-javascript-devel] Bug#1132160: node-anymatch: CVE-2026-33671 CVE-2026-33672
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 28 16:25:53 GMT 2026
Source: node-anymatch
Version: 3.1.3+~cs8.0.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for node-anymatch.
AFAICS node-anymatch provides picomatch and in unstable in an affected
version at least (correct me if I did had a mistake here).
CVE-2026-33671[0]:
| Picomatch is a glob matcher written JavaScript. Versions prior to
| 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial
| of Service (ReDoS) when processing crafted extglob patterns. Certain
| patterns using extglob quantifiers such as `+()` and `*()`,
| especially when combined with overlapping alternatives or nested
| extglobs, are compiled into regular expressions that can exhibit
| catastrophic backtracking on non-matching input. Applications are
| impacted when they allow untrusted users to supply glob patterns
| that are passed to `picomatch` for compilation or matching. In those
| cases, an attacker can cause excessive CPU consumption and block the
| Node.js event loop, resulting in a denial of service. Applications
| that only use trusted, developer-controlled glob patterns are much
| less likely to be exposed in a security-relevant way. This issue is
| fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to
| one of these versions or later, depending on their supported release
| line. If upgrading is not immediately possible, avoid passing
| untrusted glob patterns to `picomatch`. Possible mitigations include
| disabling extglob support for untrusted patterns by using
| `noextglob: true`, rejecting or sanitizing patterns containing
| nested extglobs or extglob quantifiers such as `+()` and `*()`,
| enforcing strict allowlists for accepted pattern syntax, running
| matching in an isolated worker or separate process with time and
| resource limits, and applying application-level request throttling
| and input validation for any endpoint that accepts glob patterns.
CVE-2026-33672[1]:
| Picomatch is a glob matcher written JavaScript. Versions prior to
| 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection
| vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the
| object inherits from `Object.prototype`, specially crafted POSIX
| bracket expressions (e.g., `[[:constructor:]]`) can reference
| inherited method names. These methods are implicitly converted to
| strings and injected into the generated regular expression. This
| leads to incorrect glob matching behavior (integrity impact), where
| patterns may match unintended filenames. The issue does not enable
| remote code execution, but it can cause security-relevant logic
| errors in applications that rely on glob matching for filtering,
| validation, or access control. All users of affected `picomatch`
| versions that process untrusted or user-controlled glob patterns are
| potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2
| and 2.3.2. Users should upgrade to one of these versions or later,
| depending on their supported release line. If upgrading is not
| immediately possible, avoid passing untrusted glob patterns to
| picomatch. Possible mitigations include sanitizing or rejecting
| untrusted glob patterns, especially those containing POSIX character
| classes like `[[:...:]]`; avoiding the use of POSIX bracket
| expressions if user input is involved; and manually patching the
| library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33671
https://www.cve.org/CVERecord?id=CVE-2026-33671
https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj
https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d
[1] https://security-tracker.debian.org/tracker/CVE-2026-33672
https://www.cve.org/CVERecord?id=CVE-2026-33672
https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p
https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list