The minimatch library is affected by an additional high-severity flaw that enables attackers to disrupt application availability or circumvent security filters via malicious input strings.

Similar to other flaws in glob-matching utilities, this vulnerability likely stems from inefficient processing of complex patterns. An unauthenticated attacker could provide a malicious string that causes the library to consume excessive resources or fail to match patterns as expected.

The high CVSS score of 7.5 highlights the potential for this vulnerability to cause significant service disruptions. For enterprises relying on Node.js for customer-facing applications, an exploit could lead to service outages and financial loss. Furthermore, if minimatch is used for access control lists (ACLs), an attacker might bypass security boundaries to access restricted files.

Immediate Action: Update all instances of the minimatch dependency to the latest patched version immediately to mitigate the risk of exploitation.

Proactive Monitoring: Review application logs for failed requests or timeouts associated with file uploads or path-based queries.

Compensating Controls: Use rate-limiting on endpoints that accept user-defined search patterns or file paths to reduce the impact of potential resource exhaustion attacks.

Public Exploit Available: false

Given the high CVSS score and the widespread use of this library, administrators and developers must act swiftly. Ensure that all package-lock.json or yarn.lock files are updated to include the remediated version of minimatch to prevent the introduction of this vulnerability during automated builds.