## High-Severity ReDoS Vulnerabilities Found in Widely Used 'minimatch' Package (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) A high-severity security flaw has been disclosed in the `minimatch` library, a core component used by millions of JavaScript projects for file pattern matching. The vulnerability, classified as a Regular Expression Denial of Service (ReDoS), carries a CVSS score of 7.5 and could allow attackers to crash or severely degrade the performance of affected applications by crafting malicious input patterns. The issue stems from inefficient regular expression handling in specific pattern-matching scenarios, leading to catastrophic backtracking that consumes excessive CPU resources. The vulnerability affects two major version ranges: `minimatch@<=3.1.3` and versions `9.0.0` through `9.0.6`. The exposure is widespread because `minimatch` is a transitive dependency in many popular toolchains. For instance, projects using `eslint@9.39.2` may pull in the vulnerable `minimatch@3.1.2` via `@eslint/config-array`. Similarly, the `@typescript-eslint/typescript-estree` package can introduce the vulnerable `minimatch@9.0.5`. Three distinct but related advisories (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) detail the specific attack vectors, including repeated wildcards with non-matching literals and combinatorial backtracking via nested globstar segments. This vulnerability poses a significant supply chain risk. Developers must immediately audit their dependency trees for affected versions of `minimatch`. The fix requires upgrading to patched versions outside the vulnerable ranges. Given `minimatch`'s role in build tools, linters, and file watchers, unpatched systems face the risk of service disruption, degraded CI/CD pipeline performance, and potential exploitation in environments where user-controlled input influences file glob patterns. The disclosure underscores the persistent security challenges within foundational open-source dependencies. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, supply-chain, javascript, opensource, vulnerability - **Credibility**: unverified - **Published**: 2026-03-27 09:27:08 - **ID**: 37230 - **URL**: https://whisperx.ai/en/intel/37230