CVE-2024-21538

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21538.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21538

Aliases

GHSA-3xgq-45jj-v275

Related

Published

2024-11-08T05:15:06Z

Modified

2024-11-19T16:50:38.521888Z

Downstream

openSUSE-SU-2024:14550-1

openSUSE-SU-2024:14558-1

openSUSE-SU-2024:14553-1

openSUSE-SU-2024:14559-1

SUSE-SU-2024:4272-1

openSUSE-SU-2025:14615-1

SUSE-SU-2024:4286-1

openSUSE-SU-2025:14663-1

openSUSE-SU-2024:14560-1

SUSE-SU-2024:4301-1

SUSE-SU-2024:4300-1

openSUSE-SU-2024:14561-1

Summary

[none]

Details

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

References

Affected packages

Git / github.com/moxystudio/node-cross-spawn

Affected ranges

Type: GIT
Repo: https://github.com/moxystudio/node-cross-spawn
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5ff3a07d9add449021d806e45c4168203aa833ff

Fixed

640d391fde65388548601d95abedccc12943374f

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.4.0

0.4.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

2.*

2.0.0

2.0.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0

2.2.2

2.2.3

3.*

3.0.0

3.0.1

4.*

4.0.0

4.0.2

5.*

5.0.0

5.0.1

5.1.0

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3