## High-Severity ReDoS Vulnerabilities Found in Widely Used `minimatch` Package (<=3.1.3)
A critical security flaw has been identified in the `minimatch` library, a core dependency for millions of JavaScript projects. The vulnerability, rated HIGH severity, exposes systems to ReDoS (Regular Expression Denial of Service) attacks, where a maliciously crafted glob pattern can trigger catastrophic backtracking, causing the application to freeze or crash. This is not a theoretical risk; the advisory details specific patterns, like repeated wildcards with non-matching literals, that can be weaponized to exhaust server resources.

The vulnerable package, version 3.1.2 and earlier, is a transitive dependency for major tools like `eslint`. The dependency chain shows `eslint@9.39.2` and `@eslint/eslintrc@3.3.3` both rely on the flawed `minimatch`. Two distinct ReDoS vectors are confirmed: one via Advisory GHSA-3ppc-4f35-3m26 (CWE-1333) and another, scored CVSS 7.5 HIGH, via Advisory GHSA-7r86-cg39-jmmj, which exploits combinatorial backtracking in the `matchOne()` function using multiple non-adjacent GLOBSTAR segments.

The widespread use of `minimatch` in development toolchains and build processes means the attack surface is vast. Any application using an affected version of `eslint` or other tools that depend on `minimatch` is potentially at risk. Developers and security teams are under immediate pressure to audit their dependency trees and upgrade to `minimatch@3.1.3` or later to mitigate this denial-of-service threat. The silent, transitive nature of this dependency amplifies the risk, as it may be buried deep within a project's `node_modules` without direct developer awareness.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security, Vulnerability, JavaScript, Open Source, Supply Chain
- **Credibility**: unverified
- **Published**: 2026-03-25 09:27:14
- **ID**: 32921
- **URL**: https://whisperx.ai/en/intel/32921