{"id":"CVE-2024-21538","details":"Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.","aliases":["GHSA-3xgq-45jj-v275"],"modified":"2026-04-10T05:09:32.391809Z","published":"2024-11-08T05:15:06.453Z","related":["CGA-4mjp-r4mw-qq36","SUSE-SU-2024:4272-1","SUSE-SU-2024:4286-1","SUSE-SU-2024:4300-1","SUSE-SU-2024:4301-1","SUSE-SU-2025:3744-1","openSUSE-SU-2024:14550-1","openSUSE-SU-2024:14553-1","openSUSE-SU-2024:14558-1","openSUSE-SU-2024:14559-1","openSUSE-SU-2024:14560-1","openSUSE-SU-2024:14561-1","openSUSE-SU-2025:14615-1","openSUSE-SU-2025:14663-1","openSUSE-SU-2025:15802-1"],"references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"},{"type":"FIX","url":"https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"},{"type":"FIX","url":"https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"},{"type":"FIX","url":"https://github.com/moxystudio/node-cross-spawn/pull/160"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moxystudio/node-cross-spawn","events":[{"introduced":"0"},{"fixed":"d35c865b877d2f9ded7c1ed87521c2fdb689c8dd"},{"introduced":"0"},{"fixed":"085268352dcbcad8064c64c5efb25268b4023184"},{"fixed":"5ff3a07d9add449021d806e45c4168203aa833ff"},{"fixed":"640d391fde65388548601d95abedccc12943374f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.0.6"},{"introduced":"0"},{"fixed":"7.0.5"}]}}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.2.9","0.3.0","0.4.0","0.4.1","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","2.0.0","2.0.1","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2.0","2.2.2","2.2.3","3.0.0","3.0.1","4.0.0","4.0.2","5.0.0","5.0.1","5.1.0","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v7.0.0","v7.0.1","v7.0.2","v7.0.3","v7.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21538.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}