Potential Security Vulnerability Detected
Repository: nestjs/nest
Commit: b37420b
Author: dependabot[bot]
Date: 2026-03-25T21:58:34Z
Commit Message
chore(deps): bump picomatch
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)
Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)
---
updated-dependencies:
- dependency-name: picomatch
dependency-version: 4.0.4
dependency-type: indirect
- dependency-name: picomatch
dependency-version: 2.3.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Pull Request
PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript
Description:
[//]: # (dependabot-start)
⚠️ Dependabot is rebasing this PR ⚠️
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
[//]: # (dependabot-end)
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
This update patches two security vulnerabilities (CVE-2026-33671 and CVE-2026-33672) in picomatch, a library that performs pattern matching using regular expressions. The vulnerabilities allowed crafted input patterns to cause excessive backtracking in regular expressions, leading to denial of service by overwhelming CPU resources. The patch modifies picomatch’s regex handling to mitigate these ReDoS attacks.
Affected Code
Code in picomatch version 4.0.3 (and presumably 2.3.1) uses unbounded or inefficient regex patterns for matching inputs, allowing attackers to craft specific patterns to cause catastrophic backtracking.
Proof of Concept
Using picomatch 4.0.3, an attacker can trigger the vulnerability by calling the matcher with a pattern designed to cause catastrophic backtracking, e.g., repeatedly nesting wildcards or alternations:
const picomatch = require('picomatch');
const matcher = picomatch('a+(b|c)*d?');
// This input explodes regex backtracking causing CPU spike and event loop blocking:
matcher('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!');
The large sequence of 'a's followed by a character that causes the regex engine to backtrack excessively leads to Denial of Service.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:42.006Z
Potential Security Vulnerability Detected
Repository: nestjs/nest
Commit: b37420b
Author: dependabot[bot]
Date: 2026-03-25T21:58:34Z
Commit Message
Pull Request
PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript
Description:
⚠️ Dependabot is rebasing this PR ⚠️
[//]: # (dependabot-start)
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
[//]: # (dependabot-end)
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates
picomatchfrom 4.0.3 to 4.0.4<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
This update patches two security vulnerabilities (CVE-2026-33671 and CVE-2026-33672) in picomatch, a library that performs pattern matching using regular expressions. The vulnerabilities allowed crafted input patterns to cause excessive backtracking in regular expressions, leading to denial of service by overwhelming CPU resources. The patch modifies picomatch’s regex handling to mitigate these ReDoS attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:42.006Z