Bug 2324550 (CVE-2024-21538)

Summary: CVE-2024-21538 cross-spawn: regular expression denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aarif, aazores, abarbaro, abrianik, adudiak, adupliak, ahrabovs, akostadi, alcohan, amasferr, amctagga, andrew.slice, anjoseph, anpicker, anthomas, aprice, aschwart, asoldano, aucunnin, bbaranow, bdettelb, bmaxwell, bodavis, boliveir, bparees, brasmith, brian.stansberry, brking, caswilli, cbartlet, cdewolf, chazlett, cmah, cmiranda, cochase, danken, darran.lofthouse, dbhole, dbosanac, dfreiber, dhanak, dkreling, dkuc, dmayorov, doconnor, dosoudil, dranck, drichtar, drosa, drow, dymurray, eaguilar, ebaron, ecerquei, ehelms, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, ggrzybek, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jforrest, jfula, jhe, jhorak, jkoehler, jkoops, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jreimann, jrokos, jsamir, juwatts, jwendell, jwong, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lgao, lphiri, lsturman, mabashia, manissin, mdessi, mhulan, mmakovy, mnovotny, mosmerov, mpierce, mposolda, mrizzi, msochure, mstoklus, msvehla, mvyas, mwringe, nboldt, ngough, nipatil, njean, nmoumoul, nthomas, nwallace, nyancey, oezr, omaciel, omajid, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcattana, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgaikwad, phoracek, pjindal, pmackay, pskopek, psrna, ptisnovs, rcernich, rchan, rguimara, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rowaters, rstancel, rstepani, saroy, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, skatiyar, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tjochec, tmalecek, tom.jenkinson, tpopela, twalsh, veshanka, vkumar, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2324817    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-08 13:44:53 UTC 
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Comment 1 Robb Gatica 2024-11-09 00:13:27 UTC 
PR:
https://github.com/moxystudio/node-cross-spawn/pull/160

Commits:
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
Comment 2 errata-xmlrpc 2024-11-22 01:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 6 errata-xmlrpc 2024-12-02 11:23:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:10665 https://access.redhat.com/errata/RHSA-2024:10665
Comment 7 errata-xmlrpc 2024-12-03 18:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:10518 https://access.redhat.com/errata/RHSA-2024:10518
Comment 8 errata-xmlrpc 2024-12-10 08:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:10908 https://access.redhat.com/errata/RHSA-2024:10908
Comment 9 errata-xmlrpc 2024-12-10 08:28:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2024:10907 https://access.redhat.com/errata/RHSA-2024:10907
Comment 10 errata-xmlrpc 2024-12-12 00:40:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:10823 https://access.redhat.com/errata/RHSA-2024:10823
Comment 11 errata-xmlrpc 2024-12-12 01:47:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:10839 https://access.redhat.com/errata/RHSA-2024:10839
Comment 12 errata-xmlrpc 2024-12-12 09:54:49 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:10986 https://access.redhat.com/errata/RHSA-2024:10986
Comment 13 errata-xmlrpc 2024-12-17 18:30:19 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:11292 https://access.redhat.com/errata/RHSA-2024:11292
Comment 14 errata-xmlrpc 2024-12-19 00:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:11031 https://access.redhat.com/errata/RHSA-2024:11031
Comment 16 errata-xmlrpc 2025-01-08 10:04:26 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:0079 https://access.redhat.com/errata/RHSA-2025:0079
Comment 17 errata-xmlrpc 2025-01-08 11:32:02 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 18 errata-xmlrpc 2025-01-09 11:28:40 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 20 errata-xmlrpc 2025-02-03 13:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2025:0892 https://access.redhat.com/errata/RHSA-2025:0892
Comment 21 errata-xmlrpc 2025-02-05 10:49:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Comment 24 errata-xmlrpc 2025-03-11 09:16:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:2652 https://access.redhat.com/errata/RHSA-2025:2652
Comment 30 errata-xmlrpc 2025-06-04 12:26:27 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2025:8510 https://access.redhat.com/errata/RHSA-2025:8510
Comment 31 errata-xmlrpc 2025-06-04 20:12:30 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 32 errata-xmlrpc 2025-06-04 22:59:47 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551