Security: Fix CVE-2024-21538 (cross-spawn ReDoS) by vmrh21 · Pull Request #31 · vmrh21/odh-dashboard

vmrh21 · 2026-02-26T16:59:11Z

Date: 2026-02-26

Summary

This PR fixes CVE-2024-21538 by upgrading cross-spawn to 7.0.6 using npm overrides.

CVE Details

CVE ID: CVE-2024-21538
Package: cross-spawn
Severity: HIGH (CVSS 7.5)
Impact: Regular Expression Denial of Service (ReDoS)
Vulnerable versions: <7.0.5
Fixed version: 7.0.6
Jira Issues: RHOAIENG-17795, RHOAIENG-15596, RHOAIENG-15597, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15600, RHOAIENG-15601, RHOAIENG-15602

Fix Implementation

Added npm override in root package.json:

{
  "overrides": {
    "cross-spawn": "^7.0.6"
  }
}

Test Results

Status: ✅ All tests passed

Test Discovery: No automated tests were discovered specifically for this fix
Test Command: npm audit
Result: PASSED - CVE no longer appears in npm audit output
Verification: npm list cross-spawn confirms version 7.0.6 is installed

Files Changed (4 total)

package.json (added overrides)
package-lock.json
backend/package-lock.json
frontend/package-lock.json

Breaking Changes

None (pure security patch release)

Testing Checklist

Pre-PR vulnerability scan confirms CVE is resolved
Verify cross-spawn@7.0.6 via npm list cross-spawn
Confirm npm audit no longer reports CVE-2024-21538
All monorepo workspaces updated (root, backend, frontend)
Manual testing of build and test scripts

Risk Assessment

Risk Factor	Level	Notes
Breaking Changes	None	Security patch only
Dependency Conflicts	Low	cross-spawn is used by build tools
Regression Risk	Low	No application code changes
Testing Coverage	Medium	Vulnerability scan confirms fix

References

CVE Advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
GitHub Advisory: GHSA-3xgq-45jj-v275
Repository Fix Guidance: .cve-fix/examples.md

🤖 Generated by CVE Fixer Workflow
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

- Add npm override for cross-spawn ^7.0.6 to fix CVE-2024-21538 - Update all lock files in monorepo (root, backend, frontend) - Resolves RHOAIENG-17795, RHOAIENG-15596, RHOAIENG-15597, RHOAIENG-15598, RHOAIENG-15599, RHOAIENG-15600, RHOAIENG-15601, RHOAIENG-15602 CVE Details: - CVE ID: CVE-2024-21538 - Package: cross-spawn - Severity: HIGH (CVSS 7.5) - Impact: Regular Expression Denial of Service (ReDoS) - Vulnerable versions: <7.0.5 - Fixed version: 7.0.6 Files Changed (4 total): - package.json (added overrides) - package-lock.json - backend/package-lock.json - frontend/package-lock.json Breaking Changes: - None (pure security patch) Testing: - Verified cross-spawn@7.0.6 via npm list - Confirmed CVE no longer in npm audit Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

vmrh21 · 2026-02-26T18:30:44Z

Closing for fresh test run

vmrh21 closed this Feb 26, 2026

vmrh21 deleted the fix/cve-2024-21538-cross-spawn-attempt-2 branch February 26, 2026 18:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#31

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#31
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-2

vmrh21 commented Feb 26, 2026

Uh oh!

vmrh21 commented Feb 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

vmrh21 commented Feb 26, 2026

Summary

CVE Details

Fix Implementation

Test Results

Files Changed (4 total)

Breaking Changes

Testing Checklist

Risk Assessment

References

Uh oh!

vmrh21 commented Feb 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant