Skip to main content

Inefficient Regular Expression Complexity

CVE-2024-21538

Severity High
Score 7.5/10

Summary

Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Advisory Timeline

  • Published