Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed? #167

Open
Scc33 opened this issue Nov 18, 2024 · 4 comments
Open

CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed? #167

Scc33 opened this issue Nov 18, 2024 · 4 comments

Comments

@Scc33
Copy link

Scc33 commented Nov 18, 2024

Is this CVE still a problem with version 7.0.5+?

Seems like it was fixed by #160 but I'm still seeing it pop up as a vulnerability in my build system even on the newest version.
@satazor
Copy link
Contributor

satazor commented Nov 18, 2024

Yes it's fixed in 7.0.5. Maybe the CVE database has not been yet updated, however it shows in history:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
--

@naaataliaazevedo
Copy link

Hi @Scc33
here we updated to version 7.0.6 and it was resolved

lswith added a commit to lswith/berry that referenced this issue Nov 19, 2024
@lswith
Update cross-spawn
c281908 
cross-spawn has a vulnerability moxystudio/node-cross-spawn#167.

This should allow the latest version of the cross-spawn package to work.
@lswith lswith mentioned this issue Nov 19, 2024
Merged
3 tasks
@Scc33
Copy link
Author

Scc33 commented Nov 19, 2024

I think the CVE database wasn't updated. It's now showing 7.0.5 and 7.0.6 as clean. Thanks!

@yeoffrey yeoffrey mentioned this issue Nov 19, 2024
Open
github-merge-queue bot pushed a commit to yarnpkg/berry that referenced this issue Nov 25, 2024
@lswith
chore: unlock cross-spawn range (#6606)
cc2f719 
cross-spawn has a vulnerability
moxystudio/node-cross-spawn#167.

This should allow the latest version of the cross-spawn package to work.

## What's the problem this PR addresses?

<!-- Describe the rationale of your PR. -->
<!-- Link all issues that it closes. (Closes/Resolves #xxxx.) -->

...

## How did you fix it?

<!-- A detailed description of your implementation. -->

...

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.
@rckm
Copy link

rckm commented Nov 29, 2024

Hi everyone, i got dependabot alert for cross-spawn. Which version should i choose? 7.0.5 or 7.0.6?

@bricesanchez bricesanchez mentioned this issue Dec 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@satazor @naaataliaazevedo @rckm @Scc33