SCA: security update for minimatch (GHSA-7r86-cg39-jmmj)

high Tenable Self-Hosted Container Security Plugin ID 438108

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects.
Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs
unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR)
segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is
the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default
`minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call
budget exists to bound this behavior. Any application where an attacker can influence the glob pattern
passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners
that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one
tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept
ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config
files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can
stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second
stall and does not require authentication in contexts where pattern input is part of the feature. Versions
10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue. (CVE-2026-27903)

See Also

https://github.com/advisories/GHSA-7r86-cg39-jmmj

Plugin Details

Severity: High

ID: 438108

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/3/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-27903

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/26/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-27903

cwe: CWE-407