CVE-2024-21538

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

Configurations

No configuration.

History

19 Nov 2024, 14:15

Type	Values Removed	Values Added
References		() https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349 -

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete cross-spawn anteriores a la 7.0.5 son vulnerables a la denegación de servicio por expresión regular (ReDoS) debido a una desinfección de entrada incorrecta. Un atacante puede aumentar el uso de la CPU y hacer que el programa se bloquee manipulando una cadena muy grande y bien manipulada.

08 Nov 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-08 05:15

Updated : 2024-11-19 14:15

NVD link : CVE-2024-21538

Mitre link : CVE-2024-21538

CVE.ORG link : CVE-2024-21538

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10