CVE-2024-21538

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21538.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21538

Aliases

GHSA-3xgq-45jj-v275

Related

Published

2024-11-08T05:15:06Z

Modified

2025-05-20T16:52:00.771822Z

Downstream

MINI-v5qr-j7rv-5x8c

MINI-rhgf-5q48-gw9m

openSUSE-SU-2024:14560-1

openSUSE-SU-2024:14559-1

openSUSE-SU-2024:14553-1

openSUSE-SU-2025:14615-1

SUSE-SU-2024:4272-1

SUSE-SU-2024:4300-1

SUSE-SU-2024:4301-1

openSUSE-SU-2024:14558-1

openSUSE-SU-2024:14561-1

openSUSE-SU-2025:14663-1

openSUSE-SU-2024:14550-1

SUSE-SU-2024:4286-1

Summary

[none]

Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

References

Affected packages

Git / github.com/moxystudio/node-cross-spawn

Affected ranges

Type: GIT
Repo: https://github.com/moxystudio/node-cross-spawn
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5ff3a07d9add449021d806e45c4168203aa833ff

Fixed

640d391fde65388548601d95abedccc12943374f

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.4.0

0.4.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

2.*

2.0.0

2.0.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0

2.2.2

2.2.3

3.*

3.0.0

3.0.1

4.*

4.0.0

4.0.2

5.*

5.0.0

5.0.1

5.1.0

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3