Security: cross-spawn 7.0.3 has HIGH vulnerability

**Package:** cross-spawn
**Current Version:** 7.0.3
**Fixed Version:** 7.0.5, 6.0.6
**Severity:** HIGH
**Description:** Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

**References:**
- https://access.redhat.com/security/cve/CVE-2024-21538
- https://github.com/moxystudio/node-cross-spawn
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd
- https://github.com/moxystudio/node-cross-spawn/issues/165
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://nvd.nist.gov/vuln/detail/CVE-2024-21538
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
- https://www.cve.org/CVERecord?id=CVE-2024-21538

This issue was automatically created by the Trivy security scanner.
      

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: cross-spawn 7.0.3 has HIGH vulnerability #10

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: cross-spawn 7.0.3 has HIGH vulnerability #10

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions