Skip to content

🔧 Security Update Request: Upgrade cross-spawn to a Secure Version #856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 tasks done
MyGuyCai opened this issue Feb 27, 2025 · 0 comments
Open
3 tasks done

🔧 Security Update Request: Upgrade cross-spawn to a Secure Version #856

MyGuyCai opened this issue Feb 27, 2025 · 0 comments

Comments

@MyGuyCai
Copy link

Are you certain it's a bug?

  • Yes, it looks like a bug

Are you using the latest plugin release?

  • Yes, I'm using the latest plugin release

Is there an existing issue for this?

  • I have searched existing issues, it hasn't been reported yet

Issue description

📌 Description
The current version of cross-spawn used in this project contains a Regular Expression Denial of Service (ReDoS) vulnerability, identified as CVE-2024-21538, with a CVSS score of 8.7 (High).

🛑 Impact
This vulnerability could allow an attacker to exploit regular expression processing, leading to excessive resource consumption (high CPU usage, potential denial of service).

✅ Recommended Fix
Please update cross-spawn to one of the patched versions:

  • cross-spawn@6.0.6
  • cross-spawn@7.0.5

🔗 References
CVE-2024-21538
CWE-1333

Let me know if I can provide any further details. Thanks! 🙏

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

N/A

Environment information

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MyGuyCai