Skip to content

🔧 Security Update Request: Upgrade cross-spawn to a Secure Version #856

New issue
New issue
Open
Open
🔧 Security Update Request: Upgrade cross-spawn to a Secure Version#856
@MyGuyCai

Description

@MyGuyCai
MyGuyCai
opened on Feb 27, 2025

Are you certain it's a bug?

  • Yes, it looks like a bug

Are you using the latest plugin release?

  • Yes, I'm using the latest plugin release

Is there an existing issue for this?

  • I have searched existing issues, it hasn't been reported yet

Issue description

📌 Description
The current version of cross-spawn used in this project contains a Regular Expression Denial of Service (ReDoS) vulnerability, identified as CVE-2024-21538, with a CVSS score of 8.7 (High).

🛑 Impact
This vulnerability could allow an attacker to exploit regular expression processing, leading to excessive resource consumption (high CPU usage, potential denial of service).

✅ Recommended Fix
Please update cross-spawn to one of the patched versions:

  • cross-spawn@6.0.6
  • cross-spawn@7.0.5

🔗 References
CVE-2024-21538
CWE-1333

Let me know if I can provide any further details. Thanks! 🙏

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

N/A

Environment information

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions