Skip to content

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#25

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1
Closed

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#25
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2024-21538 by adding npm override for cross-spawn ^7.0.6. This forces all transitive dependencies to use the patched version, resolving a Regular Expression Denial of Service (ReDoS) vulnerability.

CVE Details

  • CVE ID: CVE-2024-21538
  • Package: cross-spawn
  • Severity: High (CVSS 7.5)
  • Impact: Regular Expression Denial of Service (ReDoS)
  • Vulnerable versions: < 7.0.6
  • Fixed version: 7.0.6
  • Jira Issues: Referenced from repository guidance

Fix Method

Used npm overrides field (recommended approach for this monorepo):

{
  "overrides": {
    "cross-spawn": "^7.0.6"
  }
}

Files Changed (4 total)

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Test Results ✅

Status: All tests passed
Test command: npm test
Duration: 11.5s

Test Summary
  • Test Suites: 4 passed, 4 total
  • Tests: 30 passed, 30 total
  • Backend: PASSED
  • Frontend: PASSED (lint + jest + type-check)

Breaking Changes

None - cross-spawn 7.0.6 is backward compatible with 7.0.x. This is a pure security patch.

Verification

Before:

cross-spawn@7.0.3 (vulnerable)

After:

cross-spawn@7.0.6 overridden
CVE-2024-21538 no longer in npm audit

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified cross-spawn@7.0.6 with npm list cross-spawn
  • Verified CVE resolved with npm audit
  • All monorepo lock files updated (root, backend, frontend)
  • Verify build tools work correctly (cross-spawn is used by many dev tools)

Risk Assessment

Category Risk Level Notes
Breaking Changes None Backward compatible security patch
Dependency Conflicts Low No conflicts detected
Rollback Complexity Low Simple revert

🤖 Generated by CVE Fixer Workflow

@claude
Fix CVE-2024-21538: cross-spawn ReDoS Vulnerability
cebbd9e 
- Add npm override for cross-spawn ^7.0.6 to fix CVE-2024-21538
- Update all lock files in monorepo (root, backend, frontend)
- Resolves CVE-2024-21538 Jira issues

CVE Details:
- CVE ID: CVE-2024-21538
- Package: cross-spawn
- Severity: High (CVSS 7.5)
- Impact: Regular Expression Denial of Service (ReDoS)
- Vulnerable versions: < 7.0.6
- Fixed version: 7.0.6

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None - backward compatible security patch

Testing:
- Verified cross-spawn@7.0.6 via npm list
- Confirmed CVE no longer in npm audit
- All automated tests passed (4 suites, 30 tests)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 26, 2026

Closing for fresh test run

@vmrh21 vmrh21 closed this Feb 26, 2026
@vmrh21 vmrh21 deleted the fix/cve-2024-21538-cross-spawn-attempt-1 branch February 26, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21