CVE-2024-21538

7.5 HIGH
Published: November 08, 2024 Modified: April 15, 2026
View on NVD

Description

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
Source: report@snyk.io
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
Source: report@snyk.io
https://github.com/moxystudio/node-cross-spawn/pull/160
Source: report@snyk.io
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
Source: report@snyk.io
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
Source: report@snyk.io

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.1%
21th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-1333 CWE-1333

Related CVEs

CVE-2025-46607 6.6
CVE-2025-46606 6.2
CVE-2025-46605 6.2
CVE-2026-6483 7.2
CVE-2026-5131 N/A