Skip to content

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#34

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1
Closed

Security: Fix CVE-2024-21538 (cross-spawn ReDoS)#34
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2024-21538-cross-spawn-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2024-21538 by upgrading cross-spawn from 7.0.3/6.0.5 to 7.0.6 using npm overrides.

CVE Details

  • CVE ID: CVE-2024-21538
  • Package: cross-spawn
  • Severity: HIGH (CVSS 7.5)
  • Impact: Regular Expression Denial of Service (ReDoS) via command parsing
  • Vulnerable versions: <7.0.6
  • Fixed version: 7.0.6
  • Jira Issues: Multiple RHOAIENG issues across release branches

Test Results ✅

Status: All tests passed

Tests discovered: Yes
Test command: npm test
Result: PASSED
Duration: ~45s

Test Summary
  • Total: 30 tests
  • Passed: 30
  • Failed: 0
  • Skipped: 0

Test suites: 4 passed, 4 total

Fix Approach

  • Used npm overrides field to force cross-spawn ^7.0.6
  • Updated all monorepo lock files (root, backend, frontend)
  • No application code changes required

Breaking Changes

None - this is a pure security patch with no API changes.

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified cross-spawn@7.0.6 via npm list
  • Build tools and test runners still functional
  • Verify CVE is resolved with security scan

Files Changed

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Risk Assessment

  • Risk Level: LOW
  • Reason: Security patch with no breaking changes
  • Testing: All existing unit tests pass

🤖 Generated by CVE Fixer Workflow

@claude
Fix CVE-2024-21538: cross-spawn ReDoS Vulnerability
c9cb9fb 
- Add npm override for cross-spawn ^7.0.6 to fix CVE-2024-21538
- Update all lock files in monorepo (root, backend, frontend)
- Resolves multiple RHOAIENG issues for CVE-2024-21538 across release branches

CVE Details:
- CVE ID: CVE-2024-21538
- Package: cross-spawn
- Severity: HIGH (CVSS 7.5)
- Impact: Regular Expression Denial of Service via command parsing
- Vulnerable versions: <7.0.6
- Fixed version: 7.0.6

Files Changed (4 total):
- package.json (added overrides for cross-spawn)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None (security patch only)

Pre-PR Testing:
- Test framework: jest
- Test command: npm test
- Result: PASSED ✅
- All unit tests passed

Testing:
- Verified cross-spawn@7.0.6 via npm list
- All build and test tools still functional

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 20, 2026

This PR is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the Stale label Mar 20, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 27, 2026

This PR was closed because it has been stale for 21+7 days with no activity.

@github-actions github-actions bot closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21