Bug 2324550 (CVE-2024-21538) - CVE-2024-21538 cross-spawn: regular expression denial of service
Summary: CVE-2024-21538 cross-spawn: regular expression denial of service
Keywords:
Status: NEW
Alias: CVE-2024-21538
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2324817
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-08 13:44 UTC by OSIDB Bzimport
Modified: 2025-09-01 08:28 UTC (History)
206 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:10186 0 None None None 2024-11-22 01:07:09 UTC
Red Hat Product Errata RHSA-2024:10518 0 None None None 2024-12-03 18:08:37 UTC
Red Hat Product Errata RHSA-2024:10665 0 None None None 2024-12-02 11:23:24 UTC
Red Hat Product Errata RHSA-2024:10823 0 None None None 2024-12-12 00:40:16 UTC
Red Hat Product Errata RHSA-2024:10839 0 None None None 2024-12-12 01:47:57 UTC
Red Hat Product Errata RHSA-2024:10907 0 None None None 2024-12-10 08:28:28 UTC
Red Hat Product Errata RHSA-2024:10908 0 None None None 2024-12-10 08:28:01 UTC
Red Hat Product Errata RHSA-2024:10986 0 None None None 2024-12-12 09:55:00 UTC
Red Hat Product Errata RHSA-2024:11031 0 None None None 2024-12-19 00:31:46 UTC
Red Hat Product Errata RHSA-2024:11292 0 None None None 2024-12-17 18:30:31 UTC
Red Hat Product Errata RHSA-2025:0079 0 None None None 2025-01-08 10:04:36 UTC
Red Hat Product Errata RHSA-2025:0082 0 None None None 2025-01-08 11:32:13 UTC
Red Hat Product Errata RHSA-2025:0164 0 None None None 2025-01-09 11:28:50 UTC
Red Hat Product Errata RHSA-2025:0875 0 None None None 2025-02-05 10:49:45 UTC
Red Hat Product Errata RHSA-2025:0892 0 None None None 2025-02-03 13:09:46 UTC
Red Hat Product Errata RHSA-2025:2652 0 None None None 2025-03-11 09:16:34 UTC
Red Hat Product Errata RHSA-2025:8510 0 None None None 2025-06-04 12:26:41 UTC
Red Hat Product Errata RHSA-2025:8544 0 None None None 2025-06-04 20:12:45 UTC
Red Hat Product Errata RHSA-2025:8551 0 None None None 2025-06-04 23:00:01 UTC

Description OSIDB Bzimport 2024-11-08 13:44:53 UTC 
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Comment 1 Robb Gatica 2024-11-09 00:13:27 UTC 
PR:
https://github.com/moxystudio/node-cross-spawn/pull/160

Commits:
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
Comment 2 errata-xmlrpc 2024-11-22 01:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 6 errata-xmlrpc 2024-12-02 11:23:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:10665 https://access.redhat.com/errata/RHSA-2024:10665
Comment 7 errata-xmlrpc 2024-12-03 18:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:10518 https://access.redhat.com/errata/RHSA-2024:10518
Comment 8 errata-xmlrpc 2024-12-10 08:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:10908 https://access.redhat.com/errata/RHSA-2024:10908
Comment 9 errata-xmlrpc 2024-12-10 08:28:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2024:10907 https://access.redhat.com/errata/RHSA-2024:10907
Comment 10 errata-xmlrpc 2024-12-12 00:40:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:10823 https://access.redhat.com/errata/RHSA-2024:10823
Comment 11 errata-xmlrpc 2024-12-12 01:47:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:10839 https://access.redhat.com/errata/RHSA-2024:10839
Comment 12 errata-xmlrpc 2024-12-12 09:54:49 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:10986 https://access.redhat.com/errata/RHSA-2024:10986
Comment 13 errata-xmlrpc 2024-12-17 18:30:19 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:11292 https://access.redhat.com/errata/RHSA-2024:11292
Comment 14 errata-xmlrpc 2024-12-19 00:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:11031 https://access.redhat.com/errata/RHSA-2024:11031
Comment 16 errata-xmlrpc 2025-01-08 10:04:26 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:0079 https://access.redhat.com/errata/RHSA-2025:0079
Comment 17 errata-xmlrpc 2025-01-08 11:32:02 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 18 errata-xmlrpc 2025-01-09 11:28:40 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 20 errata-xmlrpc 2025-02-03 13:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2025:0892 https://access.redhat.com/errata/RHSA-2025:0892
Comment 21 errata-xmlrpc 2025-02-05 10:49:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Comment 24 errata-xmlrpc 2025-03-11 09:16:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:2652 https://access.redhat.com/errata/RHSA-2025:2652
Comment 30 errata-xmlrpc 2025-06-04 12:26:27 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2025:8510 https://access.redhat.com/errata/RHSA-2025:8510
Comment 31 errata-xmlrpc 2025-06-04 20:12:30 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 32 errata-xmlrpc 2025-06-04 22:59:47 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551
Note You need to log in before you can comment on or make changes to this bug.