## Security Alert: High-Severity ReDoS Vulnerability in picomatch Library (GHSA-c2c7-rcm5-vvqj)
A high-severity security vulnerability has been identified in the widely used `picomatch` library, posing a direct risk of Regular Expression Denial of Service (ReDoS) attacks. The flaw, tracked as GHSA-c2c7-rcm5-vvqj and rated with a CVSS score of 7.5, resides in versions below 2.3.2. An attacker can exploit this weakness by crafting malicious glob patterns containing extglob quantifiers, leading to excessive and potentially debilitating CPU consumption on affected systems.

The vulnerability is actively present in a common dependency chain within the JavaScript ecosystem. Specifically, the outdated `picomatch@2.3.1` is being pulled in transitively via `@lingui/cli@5.9.3` → `chokidar@3.5.1` → `anymatch@3.1.3`. This path was discovered during a routine `npm audit` while working on a project pull request, highlighting how critical vulnerabilities can lurk deep within nested dependencies.

Immediate remediation is required. Developers must update the `@lingui/cli` package to a version that pulls in `picomatch@2.3.2` or higher. Alternatively, a direct override can be specified in the `package.json` file to force the secure version. This vulnerability underscores the persistent security challenges in open-source software supply chains, where a single outdated transitive dependency can introduce significant operational risk and require urgent patching to prevent potential service disruption.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security, Vulnerability, ReDoS, Open Source, npm
- **Credibility**: unverified
- **Published**: 2026-03-26 19:27:38
- **ID**: 35995
- **URL**: https://whisperx.ai/en/intel/35995