picomatch Hit with 4 HIGH Severity Advisories: ReDoS and Method Injection Flaws Threaten Next.js Ecosystem

A significant security alert has emerged for the JavaScript ecosystem as picomatch, a widely-used glob matching library, has been flagged with four HIGH severity advisories spanning two distinct vulnerability classes: Regular Expression Denial of Service (ReDoS) and method injection in POSIX character classes. The dual nature of these flaws—each capable of undermining application security through different attack vectors—has triggered urgent scrutiny across projects that depend on the library, whether directly or through transitive dependency chains.

Picomatch serves as a core pattern-matching engine for file glob operations, making these vulnerabilities particularly consequential. The ReDoS vulnerability stems from extglob quantifiers that can trigger catastrophic backtracking when processing maliciously crafted input strings—potentially enabling denial-of-service attacks if user-controlled data flows into glob matching on the server side. In parallel, the method injection flaw affects POSIX character class parsing, causing incorrect glob matching results. This misbehavior could allow attackers to bypass deny-list patterns, a critical concern for applications that rely on glob-based access control, routing decisions, or file permission logic.

The exposure extends deep into popular development tooling: picomatch is pulled in transitively through micromatch, which feeds into @next/eslint-plugin-next and ultimately eslint-config-next. This means projects using Next.js's standard ESLint configuration may carry the vulnerable code without any direct dependency on picomatch itself. While the practical attack surface depends on whether applications process user input through glob matching server-side, the combination of DoS potential and pattern-bypass risk elevates this to a priority patch. Developers are advised to audit their dependency trees and apply updates as maintainers release fixes.