Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Bump cross-spawn, CVE-2024-21538 #546

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[SECURITY] Bump cross-spawn, CVE-2024-21538 #546

wants to merge 1 commit into from

Conversation

agustints
Copy link

@agustints agustints commented Nov 20, 2024
edited
Loading

Summary

This pull request upgrades the cross-spawn dependency to version 7.0.6, addressing a high-severity security vulnerability identified as CVE-2024-21538. The upgrade ensures the application is protected against potential exploitation via a Regular Expression Denial of Service (ReDoS) attack.

Detailed Description

Vulnerability Details

  • CVE-2024-21538:
    • Description: Versions of the cross-spawn package prior to 7.0.5 are vulnerable to a ReDoS attack. The issue arises from improper input sanitization in regular expressions, allowing attackers to craft malicious strings that significantly increase CPU usage and may lead to application crashes.
    • Severity: High (CVSS Score: 7.5)
    • Patched Versions: v7.0.5 and later

Changes Made

  • Updated the cross-spawn dependency in package.json to v7.0.6.
  • Ran npm install (or equivalent) to regenerate package-lock.json ensuring consistency with the updated version.

Impact on Codebase

  • Dependencies:
    • This change updates only the cross-spawn package. No other dependencies are affected.
  • Functionality:
    • There are no changes to the application logic or functionality. This is a security-focused dependency update.
  • Performance:
    • Mitigates potential performance degradation caused by ReDoS attacks in prior versions.
  • Security:
    • Resolves a high-severity vulnerability, enhancing the overall security posture of the application.

Testing & Validation

  • Verified that all existing test cases pass successfully with the updated dependency.
  • Manually tested core functionality relying on cross-spawn to confirm no regressions or issues.
  • Reviewed the changelog for cross-spawn v7.0.6 to ensure compatibility with our current usage.

@jbreckmckye
Copy link

Would be good to get this reviewed / merged rather than relying on npm update cross-spawn

@davidjb davidjb mentioned this pull request Jan 28, 2025
Open
@YasharF
Copy link

YasharF commented Feb 1, 2025

Why do we need this PR? The ^ versions should already cause npm install to install the latest version of those packages. If you already had the package installed, then you can either do an npm update or just nuke node_modules and redo your npm install.

@agustints agustints force-pushed the security-cross-spawn branch from 7ae23a7 to 8a32882 Compare February 1, 2025 17:46
@jbreckmckye
Copy link

The ^ versions should already cause npm install to install the latest version of those packages.

@YasharF The semantics of npm install / ci are not as straightforward as that - there are situations where the resolver will prefer a lower version of a package if it is already a candidate in package-lock

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@agustints @jbreckmckye @YasharF