minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7896 https://access.redhat.com/errata/RHSA-2026:7896
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:7983 https://access.redhat.com/errata/RHSA-2026:7983
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:8339 https://access.redhat.com/errata/RHSA-2026:8339
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:9711 https://access.redhat.com/errata/RHSA-2026:9711
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:9874 https://access.redhat.com/errata/RHSA-2026:9874
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 10 Red Hat Ansible Automation Platform 2.6 for RHEL 9 Via RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.1 Via RHSA-2026:18059 https://access.redhat.com/errata/RHSA-2026:18059
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 Via RHSA-2026:18055 https://access.redhat.com/errata/RHSA-2026:18055
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 Via RHSA-2026:18054 https://access.redhat.com/errata/RHSA-2026:18054