Security Vulnerability Report
Summary
- Package:
picomatch
- Affected Versions:
<=2.3.1 and 4.0.0 - 4.0.3
- Severity: HIGH
- Advisory: GHSA-c2c7-rcm5-vvqj
- CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CWE: CWE-1333 (Inefficient Regular Expression Complexity)
Vulnerability Details
Picomatch has a ReDoS (Regular Expression Denial of Service) vulnerability triggered via extglob quantifiers. An attacker-controlled input matching a crafted glob pattern can cause catastrophic backtracking, leading to CPU exhaustion and denial of service.
A second related advisory GHSA-3v7f-55p6-f55p (MODERATE, CVSS 5.3) describes a method injection in POSIX character classes causing incorrect glob matching.
Impact on gh-aw-firewall
picomatch is used transitively by:
anymatch (via jest-haste-map) — version 2.3.1micromatch (via markdownlint-cli2) — version 2.3.1tinyglobby (via @typescript-eslint/typescript-estree) — version 4.0.3- Jest packages (
@types/jest, babel-jest, ts-jest) — version 4.0.3
The affected versions are dev/test-time dependencies. The risk to runtime firewall behavior is minimal, but the vulnerability could affect CI/CD pipeline security if attacker-controlled glob patterns are processed.
Remediation Steps
- Fix Applied: This vulnerability has been fixed in PR #aw_pr001 via
npm audit fix
- picomatch
2.3.1 → 2.3.2
- picomatch
4.0.3 → 4.0.4
- Command:
npm audit fix
- Status: ✅ Fix available and applied in accompanying PR
Testing Required
References
Detection Details
- Detected by: Dependency Security Monitor Workflow
- Detection Time: 2026-03-26T00:57:19Z
- Source: npm audit
Generated by Dependency Security Monitor · ◷
Security Vulnerability Report
Summary
picomatch<=2.3.1and4.0.0 - 4.0.3Vulnerability Details
Picomatch has a ReDoS (Regular Expression Denial of Service) vulnerability triggered via extglob quantifiers. An attacker-controlled input matching a crafted glob pattern can cause catastrophic backtracking, leading to CPU exhaustion and denial of service.
A second related advisory GHSA-3v7f-55p6-f55p (MODERATE, CVSS 5.3) describes a method injection in POSIX character classes causing incorrect glob matching.
Impact on gh-aw-firewall
picomatchis used transitively by:anymatch(via jest-haste-map) — version 2.3.1micromatch(via markdownlint-cli2) — version 2.3.1tinyglobby(via@typescript-eslint/typescript-estree) — version 4.0.3@types/jest,babel-jest,ts-jest) — version 4.0.3The affected versions are dev/test-time dependencies. The risk to runtime firewall behavior is minimal, but the vulnerability could affect CI/CD pipeline security if attacker-controlled glob patterns are processed.
Remediation Steps
npm audit fix2.3.1→2.3.24.0.3→4.0.4npm audit fixTesting Required
References
Detection Details