Skip to content

Security: Fix CVE-2024-21538 (cross-spawn)#22

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1
Closed

Security: Fix CVE-2024-21538 (cross-spawn)#22
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 19, 2026

Date: 2026-02-19

Summary

This PR fixes CVE-2024-21538 by adding an npm override to force cross-spawn to version 7.0.6 across all dependencies.

CVE Details

  • CVE ID: CVE-2024-21538
  • Package: cross-spawn
  • Severity: HIGH (CVSS 7.5)
  • Impact: Regular Expression Denial of Service (ReDoS) in argument parsing
  • Attack Vector: Processing malicious command-line arguments
  • Vulnerable versions: <6.0.6 || >=7.0.0 <7.0.5
  • Fixed version: 7.0.6
  • Jira Issues: RHOAIENG-15602, RHOAIENG-15601, RHOAIENG-15600, RHOAIENG-15596, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15597, RHOAIENG-17795

Test Results

Status: ✅ All tests passed

Tests discovered: Yes
Test command: npm test
Result: PASSED
Duration: ~30s

Test Summary
  • Total: 30 tests
  • Passed: 30
  • Failed: 0
  • Skipped: 0

Backend: All type checks passed
Frontend: 4 test suites passed

Changes Made

  • Added npm override: "cross-spawn": "^7.0.6" in root package.json
  • Updated all monorepo lock files (root, backend, frontend)
  • No application code changes required

Breaking Changes

None - this is a pure security patch with no API changes. Version 7.0.6 is backward compatible with 7.0.x.

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified cross-spawn@7.0.6 installed via npm list cross-spawn
  • Confirmed CVE-2024-21538 no longer in npm audit
  • Build successful
  • All test suites passed
  • Manual testing (if applicable)

Risk Assessment

Risk Factor Level Notes
Breaking Changes None Security patch only
Dependency Impact Low Used by test runners and build tools
Regression Risk Low No code changes, all tests pass

Verification Steps

  1. Verify CVE resolved:

    npm audit | grep CVE-2024-21538
# Should return no results

  2. Verify cross-spawn version:

    npm list cross-spawn
# Should show 7.0.6

  3. Run tests:

    npm test
# All tests should pass

References

🤖 Generated by CVE Fixer Workflow

@vm1299 @claude
Fix CVE-2024-21538: cross-spawn ReDoS
84d9175 
- Add npm override for cross-spawn ^7.0.6 to fix CVE-2024-21538
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-15602, RHOAIENG-15601, RHOAIENG-15600, RHOAIENG-15596, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15597, RHOAIENG-17795

CVE Details:
- CVE ID: CVE-2024-21538
- Package: cross-spawn
- Severity: HIGH (CVSS 7.5)
- Impact: Regular Expression Denial of Service (ReDoS)
- Vulnerable versions: <6.0.6 || >=7.0.0 <7.0.5
- Fixed version: 7.0.6

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None (security patch only)

Testing:
- Verified cross-spawn@7.0.6 via npm list
- Confirmed CVE no longer in npm audit
- All tests passed (30 passed, 0 failed)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21 vmrh21 closed this Feb 23, 2026
@vmrh21 vmrh21 deleted the fix/cve-2024-21538-cross-spawn-attempt-1 branch February 25, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmrh21 @vm1299