Source: node-anymatch Version: 3.1.3+~cs8.0.6-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for node-anymatch. AFAICS node-anymatch provides picomatch and in unstable in an affected version at least (correct me if I did had a mistake here). CVE-2026-33671[0]: | Picomatch is a glob matcher written JavaScript. Versions prior to | 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial | of Service (ReDoS) when processing crafted extglob patterns. Certain | patterns using extglob quantifiers such as `+()` and `*()`, | especially when combined with overlapping alternatives or nested | extglobs, are compiled into regular expressions that can exhibit | catastrophic backtracking on non-matching input. Applications are | impacted when they allow untrusted users to supply glob patterns | that are passed to `picomatch` for compilation or matching. In those | cases, an attacker can cause excessive CPU consumption and block the | Node.js event loop, resulting in a denial of service. Applications | that only use trusted, developer-controlled glob patterns are much | less likely to be exposed in a security-relevant way. This issue is | fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to | one of these versions or later, depending on their supported release | line. If upgrading is not immediately possible, avoid passing | untrusted glob patterns to `picomatch`. Possible mitigations include | disabling extglob support for untrusted patterns by using | `noextglob: true`, rejecting or sanitizing patterns containing | nested extglobs or extglob quantifiers such as `+()` and `*()`, | enforcing strict allowlists for accepted pattern syntax, running | matching in an isolated worker or separate process with time and | resource limits, and applying application-level request throttling | and input validation for any endpoint that accepts glob patterns. CVE-2026-33672[1]: | Picomatch is a glob matcher written JavaScript. Versions prior to | 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection | vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the | object inherits from `Object.prototype`, specially crafted POSIX | bracket expressions (e.g., `[[:constructor:]]`) can reference | inherited method names. These methods are implicitly converted to | strings and injected into the generated regular expression. This | leads to incorrect glob matching behavior (integrity impact), where | patterns may match unintended filenames. The issue does not enable | remote code execution, but it can cause security-relevant logic | errors in applications that rely on glob matching for filtering, | validation, or access control. All users of affected `picomatch` | versions that process untrusted or user-controlled glob patterns are | potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 | and 2.3.2. Users should upgrade to one of these versions or later, | depending on their supported release line. If upgrading is not | immediately possible, avoid passing untrusted glob patterns to | picomatch. Possible mitigations include sanitizing or rejecting | untrusted glob patterns, especially those containing POSIX character | classes like `[[:...:]]`; avoiding the use of POSIX bracket | expressions if user input is involved; and manually patching the | library by modifying `POSIX_REGEX_SOURCE` to use a null prototype. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33671 https://www.cve.org/CVERecord?id=CVE-2026-33671 https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d [1] https://security-tracker.debian.org/tracker/CVE-2026-33672 https://www.cve.org/CVERecord?id=CVE-2026-33672 https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
