CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn

moxystudio / node-cross-spawn

A cross platform solution to node's spawn and spawnSync

MIT License

1.09k stars 96 forks source link

CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed? #167

Open Scc33 opened 3 hours ago

Scc33 commented 3 hours ago

Is this CVE still a problem with version 7.0.5+?

https://nvd.nist.gov/vuln/detail/CVE-2024-21538
https://github.com/advisories/GHSA-3xgq-45jj-v275

Seems like it was fixed by https://github.com/moxystudio/node-cross-spawn/pull/160 but I'm still seeing it pop up as a vulnerability in my build system even on the newest version.

satazor commented 2 hours ago

Yes it's fixed in 7.0.5. Maybe the CVE database has not been yet updated, however it shows in history:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.