[BUG] CVE-2024-21538 - cross-spawn to 7.0.5+

[crudo]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

@wraithgar Since we cannot create updates of bundled node_modules, could you please bump the cross-spawn to 7.0.5 or higher?
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

Expected Behavior

No response

Steps To Reproduce

1. In this environment...
2. With this config...
3. Run '...'
4. See error...

Environment

• npm:
• Node.js:
• OS Name:
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[CraigAtInstrumental]

Note that this vulnerability is rated as "High".

[ljharb]

indeed, but since you'd have to be attacking yourself to trigger the ReDOS in npm, it's not actually a vulnerability here.

[Mayvis]

Any update on this?

[klever34]

any update on this issue?

[MasterCarl]

As a workaround, if you're using the Trivy GitHub action, you could exclude the bundled package from the scan by specifying e.g.

uses: aquasecurity/trivy-action
with:
  skip-dirs: node_modules,/usr/local/lib/node_modules/npm/node_modules/cross-spawn

Update: For some reason, this only works with my local trivy CLI, not the GitHub action.

[klever34]

Another workaround is simply creating a .trivyignore file, and adding CVE-2024-21538 to it.

[planv]

By the way, they have just released a new version - 7.0.6 .
https://www.npmjs.com/package/cross-spawn

[lempira]

I am running into the same issue. I first tried to use the override in package.json but that didn't work because cross-spawn is a bundled dependency of another dep.

I am using better-npm-audit for the project, so adding the following the .nsprc file allows temporary bypass for that package.

{
  "1100467": {
    "active": true,
    "notes": "Waiting for https://github.com/npm/cli/issues/7902 to be resolved",
    "expiry": "2024-12-31"
  }
}

[SpencerWhitehead7]

This is preventing my team from deploying because of an automated security scan in google cloud. I know the vulnerability is basically a non-issue in the context of the cli, but the scan does not.

Please bump past the vulnerable version as part of the weekly release. From the lockfile, I think the cli only has it as a transitive dependency, and the transitives have version ranges compatible with the fixed version so it shouldn't be too hard and it's make a huge difference to anyone at the mercy of automated security scans they can't control.

I'd be happy to try and do it myself, but the contribution guidelines explicitly disallow third party fixes for dependencies.

[luka-papez]

For us this was a non-issue because we realized don't really need cross-spawn in the deployed image.

The fix is simple when that is the case. In the Docker image we deploy, simply removed cross-spawn package from node_modules regarding npm, for example:

RUN rm -r /usr/local/lib/node_modules/npm/node_modules/cross-spawn/
RUN rm -r /usr/lib/node_modules_20/npm/node_modules/cross-spawn/
RUN rm -r /usr/local/n/versions/node/18.20.5/lib/node_modules/npm/node_modules/cross-spawn/

This also made me realize that we don't need npm either, and will go even further to remove it too.

I know that some projects need npm in the final image so this solution won't work, but in case you're only using npm to build the app, it's possible you want only the built assets in the final image and don't need npm anyway.

So actually for us this was an improvement in reducing the threat surface of our deployed app 😸

[SpencerWhitehead7]

Thank you, I really appreciate your offering a solution. We're trying something similar, but it'd be nice not to have to and I don't know what a project that needed npm in the final image would do.