Inefficient Regular Expression Complexity in org.webjars.npm:picomatch

CVE-2026-33671

org.webjars.npm:picomatch
picomatch

High

7.5/10

Summary

`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Advisory

Advisory Timeline

Published Mar 25, 2026

Inefficient Regular Expression Complexity in org.webjars.npm:picomatch

CVE-2026-33671

Summary

CWE-1333 - Inefficient Regular Expression Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS