Skip to content

[Vulnerability] nestjs/nest: Regular Expression Denial of Service (ReDoS) #253

Description

@github-actions

Potential Security Vulnerability Detected

Repository: nestjs/nest
Commit: 65845dc
Author: Kamil Mysliwiec
Date: 2026-03-26T09:21:17Z

Commit Message

Merge pull request #16643 from nestjs/dependabot/npm_and_yarn/multi-bf05dc1ecf

chore(deps): bump picomatch

Pull Request

PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript

Description:
[//]: # (dependabot-start)
⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


[//]: # (dependabot-end)

Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...

Analysis

Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High

Description

This update bumps the picomatch library to version 4.0.4, which fixes multiple security vulnerabilities including CVE-2026-33671 and CVE-2026-33672. These vulnerabilities relate to crafted input causing excessive backtracking in pattern matching, leading to denial of service. The patch prevents malicious patterns from triggering the ReDoS condition.

Affected Code

The vulnerable code is the pattern matching implementation in picomatch before version 4.0.4 that indiscriminately compiles and matches glob patterns, opening it to crafted inputs causing catastrophic backtracking.

Proof of Concept

Using picomatch version 4.0.3 or earlier:

`​`​`​js
const picomatch = require('picomatch');
const matcher = picomatch('*(a|aa|aaa|aaaa|aaaaa)*');

console.time('match');
matcher('aaaaaaaaaaaaaaa!'); // Malicious input causes heavy CPU usage causing event loop starvation
console.timeEnd('match');
`​`​`​

This input causes exponential backtracking, significantly increasing CPU load and leading to denial of service.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:22.564Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions