VYPR
← All advisories
High severity7.5NVD Advisory· Published Nov 8, 2024· Updated Apr 15, 2026

CVE-2024-21538

CVE-2024-21538

Description

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cross-spawnnpm
>= 7.0.0, < 7.0.57.0.5
cross-spawnnpm
< 6.0.66.0.6

Patches

4
d35c865b877d

chore(release): 6.0.6

https://github.com/moxystudio/node-cross-spawnAndré CruzNov 18, 2024via ghsa
commit
3 files changed · +13 2
  • CHANGELOG.md+11 0 modified
    @@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+<a name="6.0.6"></a>
+## [6.0.6](https://github.com/moxystudio/node-cross-spawn/compare/v6.0.5...v6.0.6) (2024-11-18)
+
+
+### Bug Fixes
+
+* disable regexp backtracking ([#160](https://github.com/moxystudio/node-cross-spawn/issues/160)) ([ba5aaef](https://github.com/moxystudio/node-cross-spawn/commit/ba5aaef))
+* **core:** support worker threads ([#127](https://github.com/moxystudio/node-cross-spawn/issues/127)) ([f4af31c](https://github.com/moxystudio/node-cross-spawn/commit/f4af31c))
+
+
+
 <a name="6.0.5"></a>
 ## [6.0.5](https://github.com/moxystudio/node-cross-spawn/compare/v6.0.4...v6.0.5) (2018-03-02)
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "cross-spawn",
-  "version": "6.0.5",
+  "version": "6.0.6",
   "description": "Cross platform child_process#spawn and child_process#spawnSync",
   "keywords": [
     "spawn",
  • package-lock.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "cross-spawn",
-  "version": "6.0.5",
+  "version": "6.0.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
640d391fde65

fix: fix escaping bug introduced by backtracking

https://github.com/moxystudio/node-cross-spawnAndré CruzNov 7, 2024via ghsa
commit
1 file changed · +2 2
  • lib/util/escape.js+2 2 modified
    @@ -20,12 +20,12 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
 
     // Sequence of backslashes followed by a double quote:
     // double up all the backslashes and escape the double quote
-    arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"');
+    arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
 
     // Sequence of backslashes followed by the end of the string
     // (which will become a double quote later):
     // double up all the backslashes
-    arg = arg.replace(/(?=\\*?)$/, '$1$1');
+    arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
 
     // All other backslashes occur literally
5ff3a07d9add

fix: disable regexp backtracking (#160)

https://github.com/moxystudio/node-cross-spawnAndré CruzNov 6, 2024via ghsa
commit
1 file changed · +4 2
  • lib/util/escape.js+4 2 modified
    @@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
     arg = `${arg}`;
 
     // Algorithm below is based on https://qntm.org/cmd
+    // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
+    // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
 
     // Sequence of backslashes followed by a double quote:
     // double up all the backslashes and escape the double quote
-    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+    arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"');
 
     // Sequence of backslashes followed by the end of the string
     // (which will become a double quote later):
     // double up all the backslashes
-    arg = arg.replace(/(\\*)$/, '$1$1');
+    arg = arg.replace(/(?=\\*?)$/, '$1$1');
 
     // All other backslashes occur literally
085268352dcb
https://github.com/moxystudio/node-cross-spawnvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.