[Security] ReDoS vulnerability

[folortin]

Waiting for

• CROSSSPAWN-8303230: Regular Expression Denial of Service (ReDoS) affecting cross-spawn package in versión 11.0.0 of Glob isaacs/node-glob#615
• fix-vuln: patch cross-spawn to fix ReDoS vulnerability tapjs/foreground-child#60

Vulnerability Information

Package: npm/cross-spawn
Vulnerabilities
cross-spawn: >= 7.0.0, < 7.0.5, fixed in 7.0.5
cross-spawn: < 6.0.6, fixed in 6.0.6

Manifest Path: package-lock.json
Scope: runtime

Advisory:

ID: https://github.com/advisories/GHSA-3xgq-45jj-v275
CVE ID: https://github.com/advisories/GHSA-3xgq-45jj-v275
Severity: high
Alert url: 

https://github.com/Wise-Ingegneria/W-Radio-TS/security/dependabot/11
Summary: Regular Expression Denial of Service (ReDoS) in cross-spawn

Description:
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-21538

moxystudio/node-cross-spawn#160
moxystudio/node-cross-spawn@5ff3a07
moxystudio/node-cross-spawn@640d391
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

https://github.com/moxystudio/node-cross-spawn/issues/165
https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
https://github.com/advisories/GHSA-3xgq-45jj-v275

[jasperfirecai2]

To add to this: it appears the 'overrides' option doesn't work for npm and its children, so this vuln can't be overriden externally either besides node_modules file edits.

[Arauf2]

Already open here: #7902

[wraithgar]

Duplicate of #7902