CVE-2026-33672 - Medium Severity Vulnerability
Vulnerable Libraries - picomatch-2.3.1.tgz, picomatch-4.0.2.tgz, picomatch-4.0.3.tgz
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
- stylelint-config-esl-5.15.0.tgz (Root Library)
- stylelint-17.5.0.tgz
- micromatch-4.0.8.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@nx/jest/node_modules/picomatch/package.json,/node_modules/@nx/js/node_modules/picomatch/package.json,/node_modules/@nx/workspace/node_modules/picomatch/package.json
Dependency Hierarchy:
- js-22.6.1.tgz (Root Library)
- ❌ picomatch-4.0.2.tgz (Vulnerable Library)
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@11ty/eleventy/node_modules/picomatch/package.json,/node_modules/@jest/console/node_modules/picomatch/package.json,/node_modules/@jest/globals/node_modules/picomatch/package.json,/node_modules/@jest/reporters/node_modules/picomatch/package.json,/node_modules/@jest/transform/node_modules/picomatch/package.json,/node_modules/@stylistic/eslint-plugin/node_modules/picomatch/package.json,/node_modules/expect/node_modules/picomatch/package.json,/node_modules/jest-circus/node_modules/picomatch/package.json,/node_modules/jest-config/node_modules/picomatch/package.json,/node_modules/jest-each/node_modules/picomatch/package.json,/node_modules/jest-haste-map/node_modules/picomatch/package.json,/node_modules/jest-resolve/node_modules/picomatch/package.json,/node_modules/jest-runner/node_modules/picomatch/package.json,/node_modules/jest-runtime/node_modules/picomatch/package.json,/node_modules/jest-snapshot/node_modules/picomatch/package.json,/node_modules/jest-watcher/node_modules/picomatch/package.json,/node_modules/jest-worker/node_modules/picomatch/package.json,/node_modules/tinyglobby/node_modules/picomatch/package.json
Dependency Hierarchy:
- js-22.6.1.tgz (Root Library)
- tinyglobby-0.2.15.tgz
- ❌ picomatch-4.0.3.tgz (Vulnerable Library)
Found in HEAD commit: 624af1e6ef611aeaaa9a0444ca492056b5b5353f
Found in base branch: main
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4
Step up your Open Source Security Game with Mend here
CVE-2026-33672 - Medium Severity Vulnerability
picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
picomatch-4.0.2.tgz
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@nx/jest/node_modules/picomatch/package.json,/node_modules/@nx/js/node_modules/picomatch/package.json,/node_modules/@nx/workspace/node_modules/picomatch/package.json
Dependency Hierarchy:
picomatch-4.0.3.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@11ty/eleventy/node_modules/picomatch/package.json,/node_modules/@jest/console/node_modules/picomatch/package.json,/node_modules/@jest/globals/node_modules/picomatch/package.json,/node_modules/@jest/reporters/node_modules/picomatch/package.json,/node_modules/@jest/transform/node_modules/picomatch/package.json,/node_modules/@stylistic/eslint-plugin/node_modules/picomatch/package.json,/node_modules/expect/node_modules/picomatch/package.json,/node_modules/jest-circus/node_modules/picomatch/package.json,/node_modules/jest-config/node_modules/picomatch/package.json,/node_modules/jest-each/node_modules/picomatch/package.json,/node_modules/jest-haste-map/node_modules/picomatch/package.json,/node_modules/jest-resolve/node_modules/picomatch/package.json,/node_modules/jest-runner/node_modules/picomatch/package.json,/node_modules/jest-runtime/node_modules/picomatch/package.json,/node_modules/jest-snapshot/node_modules/picomatch/package.json,/node_modules/jest-watcher/node_modules/picomatch/package.json,/node_modules/jest-worker/node_modules/picomatch/package.json,/node_modules/tinyglobby/node_modules/picomatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 624af1e6ef611aeaaa9a0444ca492056b5b5353f
Found in base branch: main
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.
Publish Date: 2026-03-26
URL: CVE-2026-33672
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4
Step up your Open Source Security Game with Mend here