This page collects WhisperX intelligence signals tagged #redos. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the popular TypeScript-first schema validation library, Valibot, has been patched in its latest release. The flaw, tracked as CVE-2025-66020, resides in the `emoji` action's `EMOJI_REGEX`. This regular expression is vulnerable to a Regular Expression Denial of Service (ReDoS) attack...
A GitHub issue calls for a direct security fix to address a ReDoS (Regular Expression Denial of Service) vulnerability by overriding a transitive dependency. The core action involves adding and adjusting overrides in the project's root `package.json` file. This forces specific indirect dependency chains to use a safe v...
A high-severity security violation has been flagged within a major McKinsey & Company project. The JFrog Xray security scan for the 'agents-at-scale-ark' repository detected multiple instances of CVE-2026-33671, a ReDoS (Regular Expression Denial of Service) vulnerability in the widely used `picomatch` library. The aut...
广泛使用的 JavaScript 通配符匹配库 `picomatch` 曝出高危安全漏洞,影响版本 4.0.0 至 4.0.3。该漏洞被评定为 CVSS 7.5 的高危级别,攻击者可利用其发起正则表达式拒绝服务(ReDoS)攻击,导致应用性能急剧下降甚至服务中断。`picomatch` 作为众多流行工具(如 Webpack、Gulp)的传递依赖,其潜在影响范围巨大,任何未及时更新的项目都可能面临服务瘫痪的风险。 漏洞详情指向两个核心问题。第一个是编号为 GHSA-c2c7-rcm5-vvqj 的 ReDoS 漏洞,源于 `extglob` 量词处理不当,攻击者通过构造恶意的通配符模式,可触发正则表达式引擎的灾难性回溯,从而耗尽服务...
A high-severity security vulnerability has been identified in the widely used `picomatch` library, posing a direct risk of Regular Expression Denial of Service (ReDoS) attacks. The flaw, tracked as GHSA-c2c7-rcm5-vvqj and rated with a CVSS score of 7.5, resides in versions below 2.3.2. An attacker can exploit this weak...
A critical security vulnerability, CVE-2024-21503, has been identified in the widely-used Python code formatter `black`. The flaw, a Regular Expression Denial of Service (ReDoS), resides in the `lines_with_leading_tabs_expanded` function within the `strings.py` file. This vulnerability affects all versions of `black` p...
A critical security flaw in the widely used `micromatch` NPM package persists despite a previous fix, leaving countless applications vulnerable to denial-of-service attacks. The vulnerability, tracked as CVE-2024-4067 with a MEDIUM severity score of 5.3, is a Regular Expression Denial of Service (ReDoS) issue in versio...
A critical security scan has flagged multiple high-severity Regular Expression Denial of Service (ReDoS) vulnerabilities in the `minimatch` library, a core dependency for millions of JavaScript and TypeScript projects. The affected versions, `<=10.0.2`, are currently installed via the popular `@typescript-eslint/typesc...
Das weit verbreitete Node.js-Paket `minimatch` enthält mehrere hochkritische Sicherheitslücken, die zu Denial-of-Service-Angriffen führen können. Die als HIGH eingestuften ReDoS-Schwachstellen (Regular Expression Denial of Service) in den Versionen ≤3.1.3 und 9.0.0–9.0.6 ermöglichen es Angreifern, durch speziell präpar...
A high-severity security alert has been issued for the widely used `minimatch` library, exposing countless JavaScript projects to Regular Expression Denial of Service (ReDoS) attacks. The vulnerabilities, tracked as GHSA-3ppc-4f35-3m26 and GHSA-7r86-cg39-jmmj, carry a CVSS score of 7.5 and stem from inefficient regular...
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2026-4867 (CVSS 7.5), has been resolved in the `path-to-regexp` library. The flaw was discovered within the dependency chain of `@itwin/express-server`, which pulls in the vulnerable version via the `express` package. This type o...
A high-severity security vulnerability in a critical dependency chain has been patched using a targeted package manager override. The fix addresses a confirmed ReDoS (Regular Expression Denial of Service) flaw in the `path-to-regexp` library, version 0.1.12, which was being pulled in as a transitive dependency. This vu...
A latent Regular Expression Denial of Service (ReDoS) vulnerability in the Pygments syntax highlighter library has triggered a cluster of low-severity Dependabot security alerts within a software ecosystem. The core risk stems from an inefficient regular expression used for GUID matching, which could allow an attacker ...
一份最新的安全审计报告揭示,JavaScript 生态中一个广泛使用的底层库 `brace-expansion` 存在资源耗尽漏洞(ReDoS),可能引发进程挂起和内存耗尽,导致拒绝服务(DoS)。该漏洞被评定为中等严重性,CVSS 评分为 6.5,影响版本为 `<1.1.13` 或 `>=2.0.0 <2.0.3`。尽管未发现严重或高危漏洞,但此问题因其在工具链中的深度渗透而值得警惕。 该漏洞的核心在于 `brace-expansion` 库中一个零步序列的处理缺陷。值得注意的是,受影响的 `brace-expansion` 包作为传递性开发依赖,潜藏于多个主流开发工具的依赖树中,包括 `@eslint/config-array...
A medium-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2022-25883, has been detected in a legacy version of the `semver` package, a core semantic versioning parser used by npm. The flaw, present in versions before 7.5.2, resides in the `new Range()` function and can be triggered wh...
A high-severity denial-of-service vulnerability, tracked as CVE-2017-16119, has been detected in the `fresh` npm module, a core dependency of the widely-used Express.js web framework. The flaw allows an attacker to trigger a regular expression denial-of-service (ReDoS) by sending specially crafted input, causing the No...
A critical npm audit has exposed high-severity security vulnerabilities in two widely used JavaScript packages, picomatch and brace-expansion, posing a direct threat to development and build toolchains. The flaws, which include method injection and ReDoS (Regular Expression Denial of Service) vectors, could allow attac...
A recent automated security scan has uncovered multiple high and moderate-severity vulnerabilities within a project's core dependencies, exposing potential denial-of-service (DoS) and prototype pollution attack vectors. The scan, dated March 30, 2026, identified critical flaws in widely used packages including `flatted...
A critical security flaw in the popular React Native framework has been patched, exposing countless mobile applications to potential denial-of-service attacks. The vulnerability, a regular expression denial of-service (ReDoS) within the `validateBaseUrl` function, could cause apps to consume excessive resources, become...
Fern API 项目因一个关键安全漏洞而被迫进行大规模依赖更新。该漏洞存在于代码语法高亮库 Pygments 中,具体位于 `pygments/lexers/archetype.py` 的 `AdlLexer` 组件,可导致正则表达式拒绝服务攻击。所有版本号 ≤ 2.19.2 的 Pygments 均受影响。项目维护者已通过 Dependabot 警报 #990 和拉取请求 #13996 紧急协调,将依赖版本升级至已修复的 2.20.0。 此次更新涉及对项目代码库中大量锁定文件的修改。核心变更包括更新 `generators/python/poetry.lock` 文件,以及通过针对性区块替换,批量更新了 285 个位于 `se...