Vulnerability Description
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95ab
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
FAQ
What is CVE-2024-21538?
CVE-2024-21538 is a vulnerability with a CVSS score of 7.5 (HIGH). Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increas...
How severe is CVE-2024-21538?
CVE-2024-21538 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21538?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.