CVE-2024-21538

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-21538

CGA ID

CGA-8j64-28x2-ggxv

Severity

Unknown

Description

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

References

https://images.chainguard.dev/security/CGA-8j64-28x2-ggxv
https://github.com/advisories/GHSA-3xgq-45jj-v275
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2024-21538

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources