Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Affected Packages

npm cross-spawn

Affected versions: 7.0.0 (fixed in 7.0.5)

npm cross-spawn

Affected versions: 0 (fixed in 6.0.6)

Related CVEs

CVE-2024-21538

Key Information

GHSA ID

GHSA-3xgq-45jj-v275

Published

November 8, 2024 6:30 AM

Last Modified

May 19, 2025 7:56 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

cross-spawn

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.