CVE-2024-21538
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-21538
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21538.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-21538
- Aliases
- Related
- Published
- 2024-11-08T05:15:06Z
- Modified
- 2024-11-19T16:50:38.521888Z
- Summary
- [none]
- Details
-
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
- References
-
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
Affected packages
Git / github.com/moxystudio/node-cross-spawn
Affected ranges
- Type
- GIT
- Repo
- https://github.com/moxystudio/node-cross-spawn
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.4.0
0.4.1
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
2.*
2.0.0
2.0.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0
2.2.2
2.2.3
3.*
3.0.0
3.0.1
4.*
4.0.0
4.0.2
5.*
5.0.0
5.0.1
5.1.0
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3