runner icon indicating copy to clipboard operation
runner copied to clipboard
verified publisher icon actions

Security Vulnerabilities in Dependencies: cross-spawn 7.0.3 and braces < 3.0.3

Open MayorFaj opened this issue 9 months ago • 6 comments

Security Vulnerabilities in Dependencies: cross-spawn 7.0.3 and braces < 3.0.3

Describe the bug The GitHub Actions runner (v2.322.0) contains two high-severity dependencies with known security vulnerabilities:

  1. cross-spawn 7.0.3 - Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2024-21538)
  2. braces < 3.0.3 - Memory Exhaustion vulnerability (CVE-2024-4068)

These vulnerabilities are being detected by image scanners and causing security scans to fail in our CI/CD pipelines.

To Reproduce

  1. Run security scanning tools (like Snyk, OWASP dependency check, etc.) against GitHub Actions runner v2.322.0
  2. Observe that the vulnerabilities are flagged:
    • cross-spawn 7.0.3: ReDoS vulnerability (CVE-2024-21538)
    • braces < 3.0.3: Memory Exhaustion vulnerability (CVE-2024-4068)
  3. The security scan fails, blocking the pipeline

Expected behavior The dependencies should be updated to their fixed versions:

  • cross-spawn should be updated to 7.0.5+
  • braces should be updated to 3.0.3+

Runner Version and Platform

  • Runner version: v2.322.0
  • This affects all platforms (OSX/Windows/Linux) as these are JavaScript dependencies

What's not working?

Security scans are failing due to these high-severity vulnerabilities, causing our deployment pipelines to halt at security gates. Our organization's security policy requires remediating high-severity vulnerabilities before deployment.

Vulnerability Details

cross-spawn (CVE-2024-21538): Versions before 7.0.5 are vulnerable to Regular Expression Denial of Service due to improper input sanitization. An attacker can increase CPU usage and crash the program by crafting a large, well-crafted string. References:

  • https://github.com/advisories/GHSA-3xgq-45jj-v275
  • https://nvd.nist.gov/vuln/detail/CVE-2024-21538

braces (CVE-2024-4068): Versions prior to 3.0.3 fail to limit the number of characters it can handle, leading to Memory Exhaustion. If a malicious user sends "imbalanced braces" as input, the parsing enters a loop that allocates heap memory without freeing it, eventually causing the program to crash. References:

  • https://github.com/advisories/GHSA-grv7-fg5c-xmjg
  • https://nvd.nist.gov/vuln/detail/CVE-2024-4068

MayorFaj avatar Mar 11 '25 19:03 MayorFaj

I am currently woking on bumping the version to the stable and latest version

MayorFaj avatar Mar 11 '25 19:03 MayorFaj

I've submitted a fix for these vulnerabilities in PR#3743, which updates both cross-spawn to v7.0.6 and braces to v3.0.3.

MayorFaj avatar Mar 11 '25 22:03 MayorFaj

Hello @MayorFaj ,

I am also getting an additional Dependency error, would you like me to Open an issue for this one as well?

Image

Blizter avatar Mar 13 '25 20:03 Blizter

@Blizter the vulns are in the dependencies of the docker-buildx version used in the docker image.

MayorFaj avatar Mar 14 '25 13:03 MayorFaj

Thank you @MayorFaj I opened a PR to bump up Docker and Buildx versions : https://github.com/actions/runner/pull/3750

Blizter avatar Mar 14 '25 14:03 Blizter

Package-Path: /actions-runner/externals/node20/lib/node_modules/cross-spawn/package.json

theGameChangerDev avatar Mar 24 '25 09:03 theGameChangerDev

Hi @MayorFaj We are currently getting flagged due to this cross-spawn, We are using the latest Runner Version.

cptn3m0-27 avatar Jul 28 '25 14:07 cptn3m0-27