Skip to content

CVE-2026-33672 (Medium) detected in picomatch-2.2.2.tgz #610

New issue
New issue
Open
Open
CVE-2026-33672 (Medium) detected in picomatch-2.2.2.tgz#610
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Mar 26, 2026

CVE-2026-33672 - Medium Severity Vulnerability

Vulnerable Library - picomatch-2.2.2.tgz

Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.

Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.2.2.tgz

Path to dependency file: /ui/package.json

Path to vulnerable library: /ui/package.json

Dependency Hierarchy:

  • compiler-cli-10.2.1.tgz (Root Library)
    • chokidar-3.4.3.tgz
      • anymatch-3.1.1.tgz
        • picomatch-2.2.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.

Publish Date: 2026-03-26

URL: CVE-2026-33672

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 3.0.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions