Installing latest jest version introduces high vulnerability (8.7) CVE-2024-21538
Expected behavior
Vulnerability score from high to below high threshold
Actual behavior
Vulnerability scan not passing in the CICD pipeline.
Additional context
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
ibakirov
commented
1 day ago
Version
29.7.0
Steps to reproduce
Installing latest jest version introduces high vulnerability (8.7) CVE-2024-21538
Expected behavior
Vulnerability score from high to below high threshold
Actual behavior
Vulnerability scan not passing in the CICD pipeline.
Additional context
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
npm list cross-spawn: └─┬ jest@29.7.0 └─┬ @jest/core@29.7.0 └─┬ jest-changed-files@29.7.0 └─┬ execa@5.1.1 └── cross-spawn@7.0.3
Environment