Inefficient Regular Expression Complexity Affecting nodejs-docs package, versions <1:20.20.2-1.module+el8.10.0+90878+0d41f8c0


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

Social Trends
EPSS
0.47% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE8-NODEJSDOCS-16001948
  • published13 Apr 2026
  • disclosed26 Feb 2026

Introduced: 26 Feb 2026

CVE-2026-27904  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade Oracle:8 nodejs-docs to version 1:20.20.2-1.module+el8.10.0+90878+0d41f8c0 or higher.
This issue was patched in ELSA-2026-8339.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs-docs package and not the nodejs-docs package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

CVSS Base Scores

version 3.1