Security: cross-spawn 7.0.3 has HIGH vulnerability

**Package:** cross-spawn

**Current Version:** 7.0.3

**Fixed Version:** 7.0.5, 6.0.6

**Severity:** HIGH

**Description:**
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

**References:**
* https://access.redhat.com/security/cve/CVE-2024-21538
* https://github.com/moxystudio/node-cross-spawn
* https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
* https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
* https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd
* https://github.com/moxystudio/node-cross-spawn/issues/165
* https://github.com/moxystudio/node-cross-spawn/pull/160
* https://nvd.nist.gov/vuln/detail/CVE-2024-21538
* https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
* https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
* https://www.cve.org/CVERecord?id=CVE-2024-21538

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: cross-spawn 7.0.3 has HIGH vulnerability #39

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: cross-spawn 7.0.3 has HIGH vulnerability #39

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions