fix: disable regexp backtracking by satazor · Pull Request #160 · moxystudio/node-cross-spawn (original) (raw)
satazor added a commit that referenced this pull request
satazor added a commit that referenced this pull request
This was referenced
Nov 19, 2024
This was referenced
Dec 9, 2024
This was referenced
Jan 7, 2025
This was referenced
Jan 17, 2025
This was referenced
Feb 10, 2025
gurus00 pushed a commit to gurus00/node-cross-spawn that referenced this pull request
This was referenced
Apr 11, 2025
This was referenced
May 8, 2025
highorbit25 added a commit to highorbit25/concert-vuln-app that referenced this pull request
Resolves: #28
Vulnerability Details:
- CVE: CVE-2024-21538
- Severity: HIGH
- CVSS Score: 7.5
- Package: cross-spawn (transitive dependency)
- Vulnerable Version: 7.0.3
- Fixed Version: 7.0.5
- CWE: CWE-1333 (Inefficient Regular Expression Complexity)
Remediation: Added npm overrides to force cross-spawn to version 7.0.5, which contains the security fix for this HIGH severity ReDoS vulnerability. The cross-spawn package is a transitive dependency of Next.js and other build tools.
This fix prevents Regular Expression Denial of Service (ReDoS) attacks that could cause CPU exhaustion and application crashes through crafted input strings.
Automated fix generated by IBM Bob based on CVE research from:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
- Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
- GitHub PR: moxystudio/node-cross-spawn#160
This was referenced
Feb 5, 2026
This was referenced
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})