[Security] ReDoS vulnerability

[folortin]

Waiting for

• https://github.com/isaacs/node-glob/issues/615
• https://github.com/tapjs/foreground-child/pull/60

Vulnerability Information

Package: npm/cross-spawn Vulnerabilities cross-spawn: >= 7.0.0, < 7.0.5, fixed in 7.0.5 cross-spawn: < 6.0.6, fixed in 6.0.6

Manifest Path: package-lock.json Scope: runtime

Advisory:

ID: https://github.com/advisories/GHSA-3xgq-45jj-v275
CVE ID: https://github.com/advisories/GHSA-3xgq-45jj-v275
Severity: high
Alert url: 

https://github.com/Wise-Ingegneria/W-Radio-TS/security/dependabot/11
Summary: Regular Expression Denial of Service (ReDoS) in cross-spawn

Description: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-21538

https://github.com/moxystudio/node-cross-spawn/pull/160 https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

https://github.com/moxystudio/node-cross-spawn/issues/165
https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://github.com/advisories/GHSA-3xgq-45jj-v275

[jasperfirecai2]

To add to this: it appears the 'overrides' option doesn't work for npm and its children, so this vuln can't be overriden externally either besides node_modules file edits.

[Arauf2]

Already open here: https://github.com/npm/cli/issues/7902

[wraithgar]

Duplicate of #7902