## McKinsey's 'Agents at Scale' Codebase Flags High-Severity CVE-2026-33671 in Picomatch
A high-severity security violation has been flagged within a major McKinsey & Company project. The JFrog Xray security scan for the 'agents-at-scale-ark' repository detected multiple instances of CVE-2026-33671, a ReDoS (Regular Expression Denial of Service) vulnerability in the widely used `picomatch` library. The automated alert, tied to build 5752 on a merge branch, signals an active and unaddressed security risk in the codebase that could be exploited to cause service disruptions.

The core issue resides in two specific versions of the `picomatch` npm package (2.3.1 and 4.0.3), a library for glob pattern matching. The vulnerability, categorized as 'High' severity, allows an attacker to craft malicious input using extglob quantifiers, potentially causing catastrophic CPU consumption and rendering the application unresponsive. The scan generated five identical violation IDs (XRAY-956992) for this single CVE, highlighting its pervasive presence across dependencies.

This finding places immediate pressure on the development team to assess the operational impact. The prescribed next steps—reviewing the detailed GitHub Actions run, investigating the CVE's project-specific implications, and updating dependencies—are standard but urgent. The alternative of adding the violation to a whitelist, while an option, would constitute an explicit acceptance of a known high-risk flaw in a project associated with a global consulting giant, raising questions about internal security governance and software supply chain hygiene for AI-scale agent systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Supply Chain Security, Open Source, ReDoS, GitHub Actions
- **Credibility**: unverified
- **Published**: 2026-03-26 08:27:08
- **ID**: 34942
- **URL**: https://whisperx.ai/en/intel/34942