fix: disable regexp backtracking by satazor · Pull Request #160 · moxystudio/node-cross-spawn

satazor · 2024-11-06T09:01:23Z

With a very large and well crafted string, the escaping made by cross-spawn hangs forever.

const { argument } = require('cross-spawn/lib/util/escape');
var str = "";
for (var i = 0; i < 1000000; i++) {
  str += "\\";
}
str += "◎";

console.log("start")
argument(str)
console.log("end")

This PR disables regexp back tracking so that it doesn't suffer from this. https://javascript.info/regexp-catastrophic-backtracking for more details.

This reverts commit 5ff3a07.

Resolves: #28 Vulnerability Details: - CVE: CVE-2024-21538 - Severity: HIGH - CVSS Score: 7.5 - Package: cross-spawn (transitive dependency) - Vulnerable Version: 7.0.3 - Fixed Version: 7.0.5 - CWE: CWE-1333 (Inefficient Regular Expression Complexity) Remediation: Added npm overrides to force cross-spawn to version 7.0.5, which contains the security fix for this HIGH severity ReDoS vulnerability. The cross-spawn package is a transitive dependency of Next.js and other build tools. This fix prevents Regular Expression Denial of Service (ReDoS) attacks that could cause CPU exhaustion and application crashes through crafted input strings. Automated fix generated by IBM Bob based on CVE research from: - NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21538 - Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - GitHub PR: moxystudio/node-cross-spawn#160

fix: disable regexp backtracking

6337cca

satazor force-pushed the bugfix/regexp-backtrack branch from 99d1c1c to 6337cca Compare November 6, 2024 09:06

satazor merged commit 5ff3a07 into master Nov 6, 2024

satazor added a commit that referenced this pull request Nov 7, 2024

Revert "fix: disable regexp backtracking (#160)"

31c1712

This reverts commit 5ff3a07.

satazor mentioned this pull request Nov 7, 2024

fix: fix escaping bug introduced by backtracking #162

Merged

satazor deleted the bugfix/regexp-backtrack branch November 7, 2024 13:04

satazor added a commit that referenced this pull request Nov 18, 2024

fix: disable regexp backtracking (#160)

ba5aaef

Scc33 mentioned this pull request Nov 18, 2024

CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed? #167

Open

This was referenced Nov 19, 2024

chore(deps): update cross-spawn to v7.0.6 yarnpkg/berry#6605

Closed

chore: unlock cross-spawn range yarnpkg/berry#6606

Merged

Thompson1985 approved these changes Nov 20, 2024

View reviewed changes

folortin mentioned this pull request Nov 21, 2024

[Security] ReDoS vulnerability npm/cli#7927

Closed

This was referenced Dec 9, 2024

Fix CVE–2024–21538 Moldy-Crow/Uptime_Kuma_Test#2

Merged

Fix CVE–2024–21538 Moldy-Crow/Uptime_Kuma_Test#3

Merged

debricked bot mentioned this pull request Dec 19, 2024

Fix CVE–2024–21538 Moldy-Crow/Uptime_Kuma_Test#4

Merged

This was referenced Jan 7, 2025

High/Critical Vulnerabilities Found on latest build gknguyen/backend-node-service#8

Closed

High/Critical Vulnerabilities Found on latest build gknguyen/backend-node-service#9

Closed

deepsource-development bot mentioned this pull request Jan 29, 2025

fix(deps): update eslint from 8.56.0 → 9.19.0 CyberdyneHQ/phaser#14

Open

debricked bot mentioned this pull request Feb 4, 2025

Fix CVE–2024–21538 AppiLia/juice-shop#1

Merged

gurus00 pushed a commit to gurus00/node-cross-spawn that referenced this pull request Feb 11, 2025

fix: disable regexp backtracking (moxystudio#160)

33bca0b

deepsource-development bot mentioned this pull request Feb 13, 2025

fix(deps): update npm/cross-spawn from 7.0.3 → 7.0.5 anto-deepsource/phaser#14

Open

pratheeshrussell-qb mentioned this pull request Feb 20, 2025

Test pratheeshrussell-qb/docker_vuln_scan#8

Closed

github-actions bot mentioned this pull request Feb 25, 2025

High/Critical Vulnerabilities Found on latest build gknguyen/backend-node-service#17

Closed

pratheeshrussell-qb mentioned this pull request Apr 7, 2025

Test pratheeshrussell-qb/docker_vuln_scan#9

Closed

github-actions bot mentioned this pull request Apr 7, 2025

Test2 pratheeshrussell-qb/docker_vuln_scan#10

Open

This was referenced Apr 11, 2025

fix(deps): update npm/cross-spawn from 7.0.3 → 7.0.5 CyberdyneHQ/phaser#21

Open

fix(deps): update npm/eslint from 8.56.0 → 9.24.0 CyberdyneHQ/phaser#22

Open

deepsource-development bot mentioned this pull request Apr 25, 2025

fix(deps): update npm/cross-spawn from 7.0.3 → 7.0.5 CyberdyneHQ/phaser#31

Open

github-actions bot mentioned this pull request Jun 21, 2025

chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 korosuke613/homepage-2nd#1077

Merged

gardera-security bot mentioned this pull request Oct 14, 2025

Update cross-spawn from version 7.0.3 to version 7.0.5 patriknordlen/mob-time#143

Open

gardera-security bot mentioned this pull request Nov 14, 2025

Update cross-spawn from version 7.0.3 to version 7.0.5 patriknordlen/mob-time#152

Open

This was referenced Feb 5, 2026

🔒 Security Fix: Remediate CVE-2024-21538 - Regular Expression Denial of Service (ReDoS) highorbit25/concert-vuln-app#34

Closed

🔒 Security Fix: Remediate CVE-2024-21538 - Regular Expression Denial of Service (ReDoS) highorbit25/concert-vuln-app#42

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: disable regexp backtracking#160

fix: disable regexp backtracking#160
satazor merged 1 commit intomasterfrom
bugfix/regexp-backtrack

satazor commented Nov 6, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

satazor commented Nov 6, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants