Potential Security Vulnerability Detected
Repository: nestjs/nest
Commit: 65845dc
Author: Kamil Mysliwiec
Date: 2026-03-26T09:21:17Z
Commit Message
Merge pull request #16643 from nestjs/dependabot/npm_and_yarn/multi-bf05dc1ecf
chore(deps): bump picomatch
Pull Request
PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript
Description:
[//]: # (dependabot-start)
⚠️ Dependabot is rebasing this PR ⚠️
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
[//]: # (dependabot-end)
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
This update bumps the picomatch library to version 4.0.4, which fixes multiple security vulnerabilities including CVE-2026-33671 and CVE-2026-33672. These vulnerabilities relate to crafted input causing excessive backtracking in pattern matching, leading to denial of service. The patch prevents malicious patterns from triggering the ReDoS condition.
Affected Code
The vulnerable code is the pattern matching implementation in picomatch before version 4.0.4 that indiscriminately compiles and matches glob patterns, opening it to crafted inputs causing catastrophic backtracking.
Proof of Concept
Using picomatch version 4.0.3 or earlier:
```js
const picomatch = require('picomatch');
const matcher = picomatch('*(a|aa|aaa|aaaa|aaaaa)*');
console.time('match');
matcher('aaaaaaaaaaaaaaa!'); // Malicious input causes heavy CPU usage causing event loop starvation
console.timeEnd('match');
```
This input causes exponential backtracking, significantly increasing CPU load and leading to denial of service.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:22.564Z
Potential Security Vulnerability Detected
Repository: nestjs/nest
Commit: 65845dc
Author: Kamil Mysliwiec
Date: 2026-03-26T09:21:17Z
Commit Message
Pull Request
PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript
Description:
⚠️ Dependabot is rebasing this PR ⚠️
[//]: # (dependabot-start)
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
[//]: # (dependabot-end)
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates
picomatchfrom 4.0.3 to 4.0.4<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
This update bumps the picomatch library to version 4.0.4, which fixes multiple security vulnerabilities including CVE-2026-33671 and CVE-2026-33672. These vulnerabilities relate to crafted input causing excessive backtracking in pattern matching, leading to denial of service. The patch prevents malicious patterns from triggering the ReDoS condition.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:22.564Z