CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-21538: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization....

7.5 CVSS

Description

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Classification

CVE ID: CVE-2024-21538

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: n/a

Product: cross-spawn

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.82% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://github.com/moxystudio/node-cross-spawn/pull/160
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff

Timeline

2025-01-10 00:30:43 UTC
CVE

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization....