High-Severity ReDoS Vulnerabilities Found in Widely Used `minimatch` Package (<=3.1.3)

A critical security flaw has been identified in the `minimatch` library, a core dependency for millions of JavaScript projects. The vulnerability, rated HIGH severity, exposes systems to ReDoS (Regular Expression Denial of Service) attacks, where a maliciously crafted glob pattern can trigger catastrophic backtracking, causing the application to freeze or crash. This is not a theoretical risk; the advisory details specific patterns, like repeated wildcards with non-matching literals, that can be weaponized to exhaust server resources.

The vulnerable package, version 3.1.2 and earlier, is a transitive dependency for major tools like `eslint`. The dependency chain shows `[email protected]` and `@eslint/[email protected]` both rely on the flawed `minimatch`. Two distinct ReDoS vectors are confirmed: one via Advisory GHSA-3ppc-4f35-3m26 (CWE-1333) and another, scored CVSS 7.5 HIGH, via Advisory GHSA-7r86-cg39-jmmj, which exploits combinatorial backtracking in the `matchOne()` function using multiple non-adjacent GLOBSTAR segments.

The widespread use of `minimatch` in development toolchains and build processes means the attack surface is vast. Any application using an affected version of `eslint` or other tools that depend on `minimatch` is potentially at risk. Developers and security teams are under immediate pressure to audit their dependency trees and upgrade to `[email protected]` or later to mitigate this denial-of-service threat. The silent, transitive nature of this dependency amplifies the risk, as it may be buried deep within a project's `node_modules` without direct developer awareness.