## Aikido Patches Critical picomatch Vulnerabilities: Method Injection and ReDoS Flaws Found in Glob Matching Library
A security patch has been deployed addressing two vulnerabilities in picomatch, a widely used glob pattern matching library. The fix, delivered as a minor version upgrade from 4.0.3 to 4.0.4, resolves CVE-2026-33672—a medium-severity method injection flaw in POSIX bracket expressions—and CVE-2026-33671, a low-severity regular expression denial of service (ReDoS) weakness affecting extglob patterns.

The critical flaw allows specially crafted patterns to reference inherited methods through POSIX bracket expressions, causing incorrect glob matching behavior. This vulnerability poses a direct risk to applications that depend on glob patterns for security-relevant filtering or validation logic, including access control mechanisms. An attacker could exploit the flaw to bypass security checks by manipulating how pattern matching evaluates file paths or resource identifiers. The ReDoS component separately enables specially crafted extglob patterns to trigger excessive computational load, potentially causing service disruption.

The patch resolves both CVEs with no breaking changes reported, indicating the fix targets the underlying parsing logic rather than altering the library's API surface. Applications using picomatch for path filtering, file watching, or permission validation should verify their dependency trees and confirm the updated version is deployed. The medium severity rating for the method injection vulnerability reflects its potential to undermine integrity checks in access control pipelines—a concern for any system treating glob matching as a security boundary.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: picomatch, CVE-2026-33672, CVE-2026-33671, method injection, ReDoS
- **Credibility**: unverified
- **Published**: 2026-05-13 09:48:23
- **ID**: 82555
- **URL**: https://whisperx.ai/en/intel/82555