View all vulnerabilities

CVE-2024-21538

Regular Expression Denial of Service (ReDoS) in cross-spawn

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Versions
cross-spawn >= 7.0.0 < 7.0.5; cross-spawn < 6.0.6
Severity
High
Ecosystem
JavaScript
Publish Date
November 8, 2024
Modified Date
May 19, 2025