node-cross-spawn icon indicating copy to clipboard operation
node-cross-spawn copied to clipboard
verified publisher icon moxystudio

CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed?

Open Scc33 opened this issue 1 year ago • 4 comments

Is this CVE still a problem with version 7.0.5+?

  • https://nvd.nist.gov/vuln/detail/CVE-2024-21538
  • https://github.com/advisories/GHSA-3xgq-45jj-v275

Seems like it was fixed by https://github.com/moxystudio/node-cross-spawn/pull/160 but I'm still seeing it pop up as a vulnerability in my build system even on the newest version.

Scc33 avatar Nov 18 '24 15:11 Scc33

Yes it's fixed in 7.0.5. Maybe the CVE database has not been yet updated, however it shows in history:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. --

satazor avatar Nov 18 '24 15:11 satazor

Hi @Scc33 here we updated to version 7.0.6 and it was resolved

naaataliaazevedo avatar Nov 18 '24 19:11 naaataliaazevedo

I think the CVE database wasn't updated. It's now showing 7.0.5 and 7.0.6 as clean. Thanks!

Scc33 avatar Nov 19 '24 14:11 Scc33

Hi everyone, i got dependabot alert for cross-spawn. Which version should i choose? 7.0.5 or 7.0.6?

rckm avatar Nov 29 '24 09:11 rckm