🔴 High-Severity ReDoS Vulnerabilities in `minimatch` (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj) Threaten JavaScript Ecosystem

A high-severity security alert has been issued for the widely used `minimatch` library, exposing countless JavaScript projects to Regular Expression Denial of Service (ReDoS) attacks. The vulnerabilities, tracked as GHSA-3ppc-4f35-3m26 and GHSA-7r86-cg39-jmmj, carry a CVSS score of 7.5 and stem from inefficient regular expression and algorithmic complexity. This flaw allows an attacker to craft specific patterns that cause catastrophic performance degradation, potentially crashing services by exhausting server CPU resources.

The core issue lies within the library's pattern-matching logic. The first advisory details an attack via repeated wildcards with a non-matching literal, while the second involves combinatorial backtracking triggered by multiple non-adjacent GLOBSTAR segments. These vulnerabilities affect `minimatch` versions below 3.1.4 and versions 9.0.0 through 9.0.6. Critically, the library is a transitive dependency for major tooling like `eslint` and `typescript-eslint`, meaning the exposure is deeply embedded in the development toolchains of millions of projects.

This vulnerability represents a significant supply chain risk. Because `minimatch` is a foundational utility for file globbing in Node.js, its compromise can propagate silently through dependency trees. Developers must urgently audit their projects for the affected versions and upgrade to the patched releases (3.1.4+ or 9.0.7+). The widespread use of the impacted parent packages (`eslint`, `typescript-eslint`) amplifies the potential blast radius, putting application availability and infrastructure stability at immediate risk until mitigations are applied.