Security: Vulnerable dependency minimatch@3.1.2 [SNYK-JS-MINIMATCH-15309438, CVE-2026-26996] #533
Description
Summary
ember-cli-babel@8.3.1 depends on multiple vulnerable versions of minimatch (3.1.2, 8.0.4, 9.0.5), which are vulnerable to Regular Expression Denial of Service (ReDoS) (High severity).
- Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
- Fix Commit: isaacs/minimatch@2e111f3
- Severity: High
Vulnerability Details
Affected versions of minimatch are vulnerable to ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row followed by an unmatched character.
Example Affected Dependency Paths
minimatch is pulled in through 21 paths in ember-cli-babel@8.3.1. Key paths grouped by vulnerable version:
| # | Dependency Path |
|---|---|
| 1 | ember-cli-babel → babel-plugin-module-resolver@5.0.2 → glob@9.3.5 → minimatch@8.0.4 |
| 2 | ember-cli-babel → broccoli-funnel@3.0.8 → minimatch@3.1.2 |
| 3 | ember-cli-babel → broccoli-funnel@3.0.8 → walk-sync@2.2.0 → minimatch@3.1.2 |
| few more... |
Potential Remediation
- Fix has been given in
minimatchto version 10.2.1 or higher. Upgrade transitive dependencies that pull in vulnerableminimatchversions —broccoli-funnel,broccoli-plugin,broccoli-persistent-filter,broccoli-debug,walk-sync,rimraf,glob, andbabel-plugin-module-resolver— to versions that depend onminimatch@>=10.2.1