[Security] minimatch ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)

[github-actions]

Security Vulnerability Report

Summary

• Package: minimatch
• Affected Version: 10.2.1 (currently installed as transitive dependency)
• Severity: HIGH
• CVE: Not assigned (tracked as GHSA-7r86-cg39-jmmj and GHSA-23c5-xmqv-rm74)
• CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details

Two related ReDoS (Regular Expression Denial of Service) vulnerabilities in minimatch:

1. GHSA-7r86-cg39-jmmj: matchOne() causes combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
2. GHSA-23c5-xmqv-rm74: Nested *() extglobs generate catastrophically backtracking regular expressions

Both affect versions >=10.0.0 <10.2.3. The fixed version is 10.2.3+.

Impact on gh-aw-firewall

minimatch is a transitive dependency pulled in by:

• @typescript-eslint/parser → @typescript-eslint/typescript-estree
• eslint → @eslint/config-array
• glob (direct dependency)
• jest test toolchain

These are primarily dev/build-time dependencies. A crafted glob pattern could cause high CPU usage and hang build/test processes, but does not directly affect the runtime firewall enforcement.

Remediation Steps

1. Recommended Fix: Run npm audit fix to update minimatch to 10.2.4
2. Alternative: Update glob (direct dep) from 13.0.1 to 13.0.6 which pulls in a fixed minimatch
3. Command: npm audit fix

Testing Required

• Run full test suite after update: npm test
• Verify build: npm run build

References

• GHSA-7r86-cg39-jmmj
• GHSA-23c5-xmqv-rm74

Detection Details

• Detected by: Dependency Security Monitor Workflow
• Detection Time: 2026-03-05T00:52:10Z
• Source: npm audit

Generated by Dependency Security Monitor

• expires on Apr 4, 2026, 12:57 AM UTC