Skip to content

[Vulnerability] nestjs/nest: Regular Expression Denial of Service (ReDoS) #254

Description

@github-actions

Potential Security Vulnerability Detected

Repository: nestjs/nest
Commit: b37420b
Author: dependabot[bot]
Date: 2026-03-25T21:58:34Z

Commit Message

chore(deps): bump picomatch

Bumps  and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Pull Request

PR: #16643 - chore(deps): bump picomatch
Labels: dependencies, javascript

Description:
[//]: # (dependabot-start)
⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


[//]: # (dependabot-end)

Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a hr...

Analysis

Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High

Description

This update patches two security vulnerabilities (CVE-2026-33671 and CVE-2026-33672) in picomatch, a library that performs pattern matching using regular expressions. The vulnerabilities allowed crafted input patterns to cause excessive backtracking in regular expressions, leading to denial of service by overwhelming CPU resources. The patch modifies picomatch’s regex handling to mitigate these ReDoS attacks.

Affected Code

Code in picomatch version 4.0.3 (and presumably 2.3.1) uses unbounded or inefficient regex patterns for matching inputs, allowing attackers to craft specific patterns to cause catastrophic backtracking.

Proof of Concept

Using picomatch 4.0.3, an attacker can trigger the vulnerability by calling the matcher with a pattern designed to cause catastrophic backtracking, e.g., repeatedly nesting wildcards or alternations:

const picomatch = require('picomatch');
const matcher = picomatch('a+(b|c)*d?');

// This input explodes regex backtracking causing CPU spike and event loop blocking:
matcher('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!');

The large sequence of 'a's followed by a character that causes the regex engine to backtrack excessively leads to Denial of Service.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-26T12:00:42.006Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions