Skip to content

Security: Fix CVE-2024-21538 (cross-spawn)#14

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1
Closed

Security: Fix CVE-2024-21538 (cross-spawn)#14
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 17, 2026

Summary

This PR fixes CVE-2024-21538 by upgrading cross-spawn to version 7.0.6 using npm overrides.

CVE Details

  • CVE ID: CVE-2024-21538
  • Package: cross-spawn
  • Severity: HIGH (CVSS 7.5)
  • Impact: Regular Expression Denial of Service (ReDoS) vulnerability
  • Vulnerable versions: <6.0.6 || >=7.0.0 <7.0.5
  • Fixed version: 7.0.6
  • Jira Issues: RHOAIENG-15602, RHOAIENG-15601, RHOAIENG-15600, RHOAIENG-15596, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15597

Vulnerability Description

The cross-spawn package contains a ReDoS vulnerability in its argument parsing that could allow an attacker to cause excessive CPU consumption by providing specially crafted command arguments.

Fix Method

This PR uses npm's overrides feature to force all transitive dependencies to use cross-spawn ^7.0.6.

Why npm overrides?

  • Creates minimal, reviewable PR
  • No lockfile format upgrades
  • Forces consistent version across entire dependency tree

Breaking Changes

None - cross-spawn 7.0.6 is a security patch release with no API changes.

Files Changed

  • package.json - Added overrides section
  • package-lock.json - Updated dependencies
  • backend/package-lock.json - Updated dependencies
  • frontend/package-lock.json - Updated dependencies

Total: 4 files changed

Testing Checklist

  • Run npm audit to verify CVE-2024-21538 is resolved
  • Run npm list cross-spawn to verify version 7.0.6 is installed
  • Run unit tests: npm run test
  • Run integration tests: npm run test:integration
  • Verify application builds successfully: npm run build

Risk Assessment

Risk Factor Level Notes
Breaking Changes NONE Security patch only
Dependency Conflicts LOW cross-spawn is widely compatible
Regression Risk LOW No code changes
Security Impact HIGH Resolves ReDoS vulnerability

Generated with CVE Fixer Workflow

@vm1299 @claude
Fix CVE-2024-21538: Upgrade cross-spawn to 7.0.6
05376db 
- Add npm override for cross-spawn ^7.0.6 to fix CVE-2024-21538 (ReDoS vulnerability)
- Update all lock files in monorepo (main, backend, frontend)
- Resolves RHOAIENG-15602, RHOAIENG-15601, RHOAIENG-15600, RHOAIENG-15596, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15597

CVE Details:
- CVE ID: CVE-2024-21538
- Package: cross-spawn
- Severity: HIGH (CVSS 7.5)
- Impact: Regular Expression Denial of Service (ReDoS)
- Vulnerable versions: <6.0.6 || >=7.0.0 <7.0.5
- Fixed version: 7.0.6

Fix Method:
- Used npm overrides to force cross-spawn ^7.0.6 across all transitive dependencies
- This ensures all instances of cross-spawn use the patched version

Files Changed (4 total):
- package.json (added overrides section)
- package-lock.json (updated dependencies)
- backend/package-lock.json (updated dependencies)
- frontend/package-lock.json (updated dependencies)

Breaking Changes:
- None - cross-spawn 7.0.6 is a security patch with no API changes

Testing:
- Verified cross-spawn@7.0.6 is installed via npm list
- Confirmed CVE-2024-21538 no longer appears in npm audit

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 18, 2026

Test complete - resetting for fresh test

@vmrh21 vmrh21 closed this Feb 18, 2026
@vmrh21 vmrh21 deleted the fix/cve-2024-21538-cross-spawn-attempt-1 branch February 18, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmrh21 @vm1299