MEDIUM · CVSS 5.3
CVE-2024-21538 — cross-spawn ReDoS
A ReDoS in cross-spawn — used inside most CLI tooling in the Node ecosystem — allowed crafted command-line arguments to hang the parser.
Affects
- cross-spawn < 7.0.5
What an attacker does
Tools that shell out using cross-spawn with untrusted arguments (some test runners, some git hooks) stall on crafted input. Build-time DoS rather than runtime exposure for most apps.
How to detect
`npm ls cross-spawn`.
How to fix
Upgrade cross-spawn to 7.0.5+ (run `npm update`).
How Securie catches it
Securie flags the transitive chain.