CVE-2024-21538

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

*Credits: Rongchen Li

CVSS Scores

Snykv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-22 CVE Reserved
2024-11-08 CVE Published
2024-11-08 EPSS Updated
2024-11-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (5)

URL	Tag	Source
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/pull/160
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-