CVE-2024-21538
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Summary
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | cross-spawn | 0 < 6.0.6 | affected |
| n/a | cross-spawn | 7.0.0 < 7.0.5 | affected |
| n/a | org.webjars.npm:cross-spawn | 0 < 7.0.6 | affected |
Weaknesses
- CWE-1333: Regular Expression Denial of Service (ReDoS)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.