Skip to content

vite-0.1.17.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed #915

New issue
New issue
Closed
Closed
vite-0.1.17.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed#915
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 19, 2026
Vulnerable Library - vite-0.1.17.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 5ed19abf27e55731154fbd7701147a3ff477cb75

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (vite version) Remediation Possible**
CVE-2026-26996 High 7.5 minimatch-9.0.5.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-26996

Vulnerable Library - minimatch-9.0.5.tgz

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • vite-0.1.17.tgz (Root Library)
    • vite-plugin-dts-4.5.4.tgz
      • language-core-2.2.0.tgz
        • minimatch-9.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 5ed19abf27e55731154fbd7701147a3ff477cb75

Found in base branch: main

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Publish Date: 2026-02-20

URL: CVE-2026-26996

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ppc-4f35-3m26

Release Date: 2026-02-19

Fix Resolution: minimatch - 10.2.1,https://github.com/isaacs/minimatch.git - v10.2.1

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions