Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Weakness
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-server-rhel9:1.12.0-1 | * |
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-ui-rhel9:1.12.0-1 | * |
| Red Hat Advanced Cluster Security 4.4 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.4.7-2 | * |
| Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.5.5-3 | * |
| Red Hat Developer Hub 1.3 on RHEL 9 | RedHat | rhdh/rhdh-hub-rhel9:1.3-131 | * |
| Red Hat Migration Toolkit for Containers 1.8 | RedHat | rhmtc/openshift-migration-ui-rhel8:v1.8.7-2 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.14.0-202412040905.p0.g4fa7043.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202412041605.p0.g1217bc1.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202412040032.p0.g6cfc2c8.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-monitoring-plugin-rhel9:v4.17.0-202411261404.p0.gad057d3.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202411261204.p0.gfa9e6b0.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9 | * |
| Red Hat OpenShift Dev Spaces 3 Containers | RedHat | devspaces/code-rhel9:3.18-6 | * |
| Red Hat OpenShift Dev Spaces 3 Containers | RedHat | devspaces/dashboard-rhel9:3.18-10 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/grafana-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/istio-cni-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.65.18-1 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/pilot-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/proxyv2-rhel8:2.4.13-4 | * |
| Red Hat OpenShift Service Mesh 2.4 for RHEL 8 | RedHat | openshift-service-mesh/ratelimit-rhel8:2.4.13-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1.73.16-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.73.17-1 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.14.18-2 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.14.18-3 | * |
| RHODF-4.14-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.14.18-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.15.9-1 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.15.14-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.15.14-2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.15.14-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.16.4-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.16.5-2 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.16.5-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.17.1-2 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.17.2-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.17.2-1 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.18.0-65 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.18.0-65 | * |
| RHODF-4.18-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.18.0-64 | * |
| Red Hat Developer Hub (RHDH) 1.4 | RedHat | rhdh/rhdh-hub-rhel9:1.4-1734106454 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:v2.16.2-1741963152 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:v2.16.2-1741963152 | * |
| Red Hat OpenShift AI 2.17 | RedHat | rhoai/odh-dashboard-rhel8:v2.17.0-1739103483 | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | rhtas/rekor-search-ui-rhel9:1.1.1-1736885867 | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | rhtas/rekor-search-ui-rhel9:1.1.1-1738843589 | * |
| Red Hat Trusted Artifact Signer 1.1 | RedHat | rhtas/rekor-search-ui-rhel9:1.1.1-1740413302 | * |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | rhtpa/rhtpa-trustification-service-rhel9:1.2.1-1733826968 | * |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | rhtpa/rhtpa-guac-rhel9:1.2.1-1733575106 | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230