CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed?

[Scc33]

Is this CVE still a problem with version 7.0.5+?

• https://nvd.nist.gov/vuln/detail/CVE-2024-21538
• GHSA-3xgq-45jj-v275

Seems like it was fixed by #160 but I'm still seeing it pop up as a vulnerability in my build system even on the newest version.

[satazor]

Yes it's fixed in 7.0.5. Maybe the CVE database has not been yet updated, however it shows in history:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
--

[naaataliaazevedo]

Hi @Scc33
here we updated to version 7.0.6 and it was resolved

[Scc33]

I think the CVE database wasn't updated. It's now showing 7.0.5 and 7.0.6 as clean. Thanks!

[rckm]

Hi everyone, i got dependabot alert for cross-spawn. Which version should i choose? 7.0.5 or 7.0.6?