highCVSS 7.5|cross-spawn (npm)|

CVE-2024-21538Regular expression denial of service (ReDoS) in cross-spawn — a transitive dependency in millions of npm projects.

Affected
>=7.0.0 <7.0.5, <6.0.6
Patched in
7.0.5, 6.0.6
Ecosystem
npm
npmredosdenial-of-servicetransitive-dependencysupply-chain

What's the vulnerability?

cross-spawn is a tiny utility that lets Node.js code run shell commands in a way that works the same on Windows, macOS, and Linux. It's not flashy, but it's everywhere — pulled in transitively by npm, pnpm, yarn, eslint, nodemon, husky, webpack-cli, and thousands of other tools you've never heard of. Snyk's advisory pegs it at over a hundred million weekly downloads. If you have a node_modules, you almost certainly have cross-spawn.

CVE-2024-21538 is a regular expression denial of service (ReDoS) in cross-spawn's argument parser. A specially crafted input string can force the regex engine into catastrophic backtracking, consuming CPU exponentially with input length. The CVSS 3.1 score is 7.5 (High), AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H — network attack vector, no privileges, no interaction, full availability impact.

Realistic exploitation scenario

ReDoS rarely matters in tools that only ever run with developer-controlled input. It matters a lot when:

  • A web service forwards user-supplied strings into a child-process invocation (CI runners, build-on-demand SaaS, CMS plugins).
  • A long-running daemon parses untrusted job payloads (queue workers, GitHub App handlers).
  • A CLI accepts piped input from an untrusted source (log scrapers, webhook test harnesses).

In any of those, an attacker who can influence the string passed to cross-spawn can pin a CPU core indefinitely with a few hundred bytes. Multiply by request count and your event loop is gone.

Who's affected

Anyone running cross-spawn <6.0.6 on the v6 line, or >=7.0.0 <7.0.5 on the v7 line. Because cross-spawn is almost always a transitive dependency, your direct package.json won't tell you — you have to inspect the lockfile.

How to detect it in your repo

Copy-paste these into your project root:

# npm — list every cross-spawn version present in the tree
npm ls cross-spawn --all

# pnpm
pnpm why cross-spawn

# yarn (Berry)
yarn why cross-spawn

# raw lockfile grep — works for npm, pnpm, yarn classic
grep -nE 'cross-spawn@?[0-9]' package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

If you see a 6.0.x lower than 6.0.6, or a 7.0.x lower than 7.0.5, you have a vulnerable copy. Multiple versions can coexist — fix every one.

GitHub also flags this CVE in the Dependabot alerts tab of any repo with cross-spawn in its lockfile. The advisory is GHSA-3xgq-45jj-v275.

The fix

Bump to [email protected] (or 6.0.6 if you're stuck on the v6 line). Because it's transitive, the fix usually means:

  1. Upgrading the direct dependency that pulls it in (often npm, pnpm, or a lint/build tool).
  2. Or pinning a resolution: overrides in package.json for npm/pnpm, resolutions for Yarn.

Example npm override:

{
  "overrides": {
    "cross-spawn": "^7.0.5"
  }
}

Then rm -rf node_modules package-lock.json && npm install and re-run npm ls cross-spawn to confirm one resolved version.

Why "transitive" is the real story

Most teams glance at their direct dependencies, see green, and move on. CVE-2024-21538 is the textbook reason that's not enough. A single transitive package, three layers deep, can end up imported by every Express handler in your service — and a CVSS 7.5 in that package becomes a CVSS 7.5 in your product. Lockfile-aware scanning, not package.json-aware scanning, is the only way to see the real exposure.

How RepoWarden handles this

RepoWarden scans your lockfile, not just your manifest, so transitive copies of cross-spawn don't hide. When CVE-2024-21538 lands in the GitHub Advisory Database, RepoWarden:

  1. Identifies every direct dependency that resolves to a vulnerable cross-spawn.
  2. Opens a PR that bumps the smallest possible set of parents — or applies an overrides block when the parent isn't shipping a fix yet.
  3. Runs your existing CI on the PR before requesting review, so a "security update" can never silently break your build.

The result: you go from CVE published → fix merged in the time it takes to drink a coffee, without any of the lockfile archaeology this advisory normally demands.

References

RepoWarden patches CVEs like this automatically.

Continuous scanning for npm dependencies, with PRs that ship the fix and pass your CI before you've finished reading the advisory.

Try it free →
← All CVEs