Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-server-rhel9:1.12.0-1 | * |
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-ui-rhel9:1.12.0-1 | * |
| Red Hat Advanced Cluster Security 4.4 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.4.7-2 | * |
| Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.5.5-3 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.14.0-202412040905.p0.g4fa7043.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202412041605.p0.g1217bc1.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202412040032.p0.g6cfc2c8.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.17.0-202411261404.p0.gad057d3.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202411261204.p0.gfa9e6b0.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9 | * |
| Red Hat OpenShift Dev Spaces 3 Containers | RedHat | devspaces/code-rhel9:3.18-6 | * |
| Red Hat OpenShift Dev Spaces 3 Containers | RedHat | devspaces/dashboard-rhel9:3.18-10 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/grafana-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/istio-cni-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.65.18-1 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/pilot-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/proxyv2-rhel8:2.4.13-4 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/ratelimit-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1.73.16-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.73.17-1 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.15.9-1 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.16.4-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.16.5-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.17.1-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.17.2-1 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.18.0-65 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.18.0-65 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.18.0-64 | * |
| Red Hat OpenShift AI 2.17 | RedHat | registry.redhat.io/rhoai/odh-dashboard-rhel8:sha256:e19276083d932dad46be57674cadf2757a4eeb5d1e2cc2b4ae650e0c8d2c1b02 | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:ab85e4f3fe88f7c6a376445273ce5b76c10dc805e438314fbab6d668e75ed53d | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:39220599ff9bbcd77ca8188a9c2c2cd75aa914b623bfc5ed01b6d0c607a833b9 | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:1432b47ddd881eb1909453e939c791825e7853b4abc00a12dddd948f99022ab3 | * |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe | * |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30 | * |
| RHDH 1.4 | RedHat | registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3 | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.