Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Advanced Cluster Security 4.4 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.4.7-2 | * |
| Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.5.5-3 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | monitoring-plugin-container-v4.14.0-202412040905.p0.g4fa7043.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202412041605.p0.g1217bc1.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202412040032.p0.g6cfc2c8.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.17.0-202411261404.p0.gad057d3.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202411261204.p0.gfa9e6b0.assembly.stream.el9 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/grafana-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/istio-cni-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.65.18-1 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/pilot-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/proxyv2-rhel8:2.4.13-4 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/ratelimit-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/grafana-rhel8:2.5.7-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/istio-cni-rhel8:2.5.7-3 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1.73.16-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.73.17-1 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/pilot-rhel8:2.5.7-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/proxyv2-rhel8:2.5.7-5 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/ratelimit-rhel8:2.5.7-3 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.16.4-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.17.1-2 | * |
| Red Hat Trusted Profile Analyzer | RedHat | rhtpa-trustification-service-rhel9 | * |
| Red Hat Trusted Profile Analyzer | RedHat | rhtpa-guac-rhel9 | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.