GHSA-xffm-g5w8-qvg7: @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

July 18, 2025 (updated July 28, 2025)

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

References

github.com/advisories/GHSA-xffm-g5w8-qvg7
github.com/eslint/rewrite
github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805
github.com/eslint/rewrite/security/advisories/GHSA-xffm-g5w8-qvg7

Code Behaviors & Features

Detect and mitigate GHSA-xffm-g5w8-qvg7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →