HIGH-Severity ReDoS Vulnerabilities in Widely Used 'minimatch' Package (CVSS 7.5)

A critical security scan has flagged multiple high-severity Regular Expression Denial of Service (ReDoS) vulnerabilities in the `minimatch` library, a core dependency for millions of JavaScript and TypeScript projects. The affected versions, `<=10.0.2`, are currently installed via the popular `@typescript-eslint/typescript-estree` package, creating a widespread transitive dependency risk. The most severe issue carries a CVSS score of 7.5, indicating a high-impact vulnerability that could allow remote attackers to cause a denial of service by exhausting server resources.

The vulnerabilities are tracked under two distinct GitHub Security Advisories. The first, GHSA-3ppc-4f35-3m26, is an inefficient regular expression complexity flaw (CWE-1333) affecting versions `<3.1.3` and `>=9.0.0 <9.0.6`. The second and more severe advisory, GHSA-7r86-cg39-jmmj, involves combinatorial backtracking in the `matchOne()` function via multiple non-adjacent GLOBSTAR segments (CWE-407). This flaw is present in versions `<3.1.3` and `>=9.0.0 <9.0.6`, and its CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms it is network-exploitable with low attack complexity, requiring no privileges or user interaction, and leads to high availability impact.

This discovery places immediate pressure on development and security teams across the Node.js ecosystem to audit their dependency trees. The `minimatch` package is a fundamental building block for file globbing, used indirectly by countless tools and frameworks. The presence of a fix indicates patches are available, but the transitive nature of the dependency via `@typescript-eslint/typescript-estree` means many projects may be vulnerable without direct awareness. Unpatched systems risk resource exhaustion attacks that could cripple application performance or availability.