CVE-2024-21538

EUVD-2024-3189
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
cross-spawncross-spawn
𝑥
< 7.0.5
ADP
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
aws-cli
suse enterprise sap 15 SP4
1.33.26-150400.34.7.1
fixed
suse enterprise sap 15 SP5
1.33.26-150400.34.7.1
fixed
suse enterprise sap 15 SP6
1.33.26-150400.34.7.1
fixed
suse enterprise server 15 SP4
1.33.26-150400.34.7.1
fixed
suse enterprise server 15 SP5
1.33.26-150400.34.7.1
fixed
suse enterprise server 15 SP6
1.33.26-150400.34.7.1
fixed
nodejs18
suse enterprise sap 15 SP5
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP4
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP5
18.20.5-150400.9.30.1
fixed
nodejs18-devel
suse enterprise sap 15 SP5
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP4
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP5
18.20.5-150400.9.30.1
fixed
nodejs18-docs
suse enterprise sap 15 SP5
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP4
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP5
18.20.5-150400.9.30.1
fixed
nodejs20
suse enterprise sap 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise sap 15 SP6
20.18.1-150600.3.6.1
fixed
suse enterprise server 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise server 15 SP6
20.18.1-150600.3.6.1
fixed
nodejs20-devel
suse enterprise sap 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise sap 15 SP6
20.18.1-150600.3.6.1
fixed
suse enterprise server 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise server 15 SP6
20.18.1-150600.3.6.1
fixed
nodejs20-docs
suse enterprise sap 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise sap 15 SP6
20.18.1-150600.3.6.1
fixed
suse enterprise server 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise server 15 SP6
20.18.1-150600.3.6.1
fixed
npm18
suse enterprise sap 15 SP5
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP4
18.20.5-150400.9.30.1
fixed
suse enterprise server 15 SP5
18.20.5-150400.9.30.1
fixed
npm20
suse enterprise sap 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise sap 15 SP6
20.18.1-150600.3.6.1
fixed
suse enterprise server 15 SP5
20.18.1-150500.11.15.1
fixed
suse enterprise server 15 SP6
20.18.1-150600.3.6.1
fixed
python311-boto3
suse enterprise desktop 15 SP7
1.34.138-150400.27.7.1
fixed
suse enterprise sap 15 SP4
1.34.138-150400.27.7.1
fixed
suse enterprise sap 15 SP5
1.34.138-150400.27.7.1
fixed
suse enterprise sap 15 SP6
1.34.138-150400.27.7.1
fixed
suse enterprise sap 15 SP7
1.34.138-150400.27.7.1
fixed
suse enterprise server 15 SP4
1.34.138-150400.27.7.1
fixed
suse enterprise server 15 SP5
1.34.138-150400.27.7.1
fixed
suse enterprise server 15 SP6
1.34.138-150400.27.7.1
fixed
suse enterprise server 15 SP7
1.34.138-150400.27.7.1
fixed
python311-botocore
suse enterprise desktop 15 SP7
1.34.144-150400.41.7.1
fixed
suse enterprise sap 15 SP4
1.34.144-150400.41.7.1
fixed
suse enterprise sap 15 SP5
1.34.144-150400.41.7.1
fixed
suse enterprise sap 15 SP6
1.34.144-150400.41.7.1
fixed
suse enterprise sap 15 SP7
1.34.144-150400.41.7.1
fixed
suse enterprise server 15 SP4
1.34.144-150400.41.7.1
fixed
suse enterprise server 15 SP5
1.34.144-150400.41.7.1
fixed
suse enterprise server 15 SP6
1.34.144-150400.41.7.1
fixed
suse enterprise server 15 SP7
1.34.144-150400.41.7.1
fixed
python311-coverage
suse enterprise desktop 15 SP6
7.6.10-150400.12.6.1
fixed
suse enterprise desktop 15 SP7
7.6.10-150400.12.6.1
fixed
suse enterprise sap 15 SP6
7.6.10-150400.12.6.1
fixed
suse enterprise sap 15 SP7
7.6.10-150400.12.6.1
fixed
suse enterprise server 15 SP4
7.6.10-150400.12.6.1
fixed
suse enterprise server 15 SP5
7.6.10-150400.12.6.1
fixed
suse enterprise server 15 SP6
7.6.10-150400.12.6.1
fixed
suse enterprise server 15 SP7
7.6.10-150400.12.6.1
fixed
python311-pluggy
suse enterprise desktop 15 SP6
1.5.0-150400.14.10.1
fixed
suse enterprise desktop 15 SP7
1.5.0-150400.14.10.1
fixed
suse enterprise sap 15 SP6
1.5.0-150400.14.10.1
fixed
suse enterprise sap 15 SP7
1.5.0-150400.14.10.1
fixed
suse enterprise server 15 SP4
1.5.0-150400.14.10.1
fixed
suse enterprise server 15 SP5
1.5.0-150400.14.10.1
fixed
suse enterprise server 15 SP6
1.5.0-150400.14.10.1
fixed
suse enterprise server 15 SP7
1.5.0-150400.14.10.1
fixed
python311-pytest
suse enterprise desktop 15 SP6
8.3.5-150400.3.9.1
fixed
suse enterprise desktop 15 SP7
8.3.5-150400.3.9.1
fixed
suse enterprise sap 15 SP6
8.3.5-150400.3.9.1
fixed
suse enterprise sap 15 SP7
8.3.5-150400.3.9.1
fixed
suse enterprise server 15 SP4
8.3.5-150400.3.9.1
fixed
suse enterprise server 15 SP5
8.3.5-150400.3.9.1
fixed
suse enterprise server 15 SP6
8.3.5-150400.3.9.1
fixed
suse enterprise server 15 SP7
8.3.5-150400.3.9.1
fixed
python311-pytest-cov
suse enterprise desktop 15 SP6
6.2.1-150400.12.6.1
fixed
suse enterprise desktop 15 SP7
6.2.1-150400.12.6.1
fixed
suse enterprise sap 15 SP6
6.2.1-150400.12.6.1
fixed
suse enterprise sap 15 SP7
6.2.1-150400.12.6.1
fixed
suse enterprise server 15 SP4
6.2.1-150400.12.6.1
fixed
suse enterprise server 15 SP5
6.2.1-150400.12.6.1
fixed
suse enterprise server 15 SP6
6.2.1-150400.12.6.1
fixed
suse enterprise server 15 SP7
6.2.1-150400.12.6.1
fixed
python311-pytest-mock
suse enterprise desktop 15 SP6
3.14.0-150400.13.6.1
fixed
suse enterprise desktop 15 SP7
3.14.0-150400.13.6.1
fixed
suse enterprise sap 15 SP6
3.14.0-150400.13.6.1
fixed
suse enterprise sap 15 SP7
3.14.0-150400.13.6.1
fixed
suse enterprise server 15 SP4
3.14.0-150400.13.6.1
fixed
suse enterprise server 15 SP5
3.14.0-150400.13.6.1
fixed
suse enterprise server 15 SP6
3.14.0-150400.13.6.1
fixed
suse enterprise server 15 SP7
3.14.0-150400.13.6.1
fixed
Common Weakness Enumeration
References
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230