CVE-2024-21538: Regular Expression Denial of Service (ReDoS) in cross-spawn
(updated )
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
References
- github.com/advisories/GHSA-3xgq-45jj-v275
- github.com/moxystudio/node-cross-spawn
- github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
- github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd
- github.com/moxystudio/node-cross-spawn/issues/165
- github.com/moxystudio/node-cross-spawn/pull/160
- nvd.nist.gov/vuln/detail/CVE-2024-21538
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
Code Behaviors & Features
Detect and mitigate CVE-2024-21538 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →