Fix CVE–2024–21538

[debricked]

CVE–2024–21538

Vulnerability details

Description

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

NVD

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

GitHub

Regular Expression Denial of Service (ReDoS) in cross-spawn

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

References

    NVD - CVE-2024-21538
    Regular Expression Denial of Service (ReDoS) in cross-spawn ?? CVE-2024-21538 ?? GitHub Advisory Database ?? GitHub
    fix: disable regexp backtracking by satazor ?? Pull Request #160 ?? moxystudio/node-cross-spawn ?? GitHub
    fix: fix escaping bug introduced by backtracking ?? moxystudio/node-cross-spawn@640d391 ?? GitHub
    fix: disable regexp backtracking (#160) ?? moxystudio/node-cross-spawn@5ff3a07 ?? GitHub
    Regular Expression Denial of Service (ReDoS) in cross-spawn | CVE-2024-21538 | Snyk
    chore(release): 6.0.6 ?? moxystudio/node-cross-spawn@d35c865 ?? GitHub
    Backport GHSA-3xgq-45jj-v275 · Issue #165 · moxystudio/node-cross-spawn · GitHub
    Regular Expression Denial of Service (ReDoS) in org.webjars.npm:cross-spawn | CVE-2024-21538 | Snyk

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE