Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-21538 in latest Node v18 #200

Closed
KuSh opened this issue Feb 4, 2025 · 1 comment
Closed

CVE-2024-21538 in latest Node v18 #200

KuSh opened this issue Feb 4, 2025 · 1 comment
Labels
dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model v18.x

Comments

@KuSh
Copy link

KuSh commented Feb 4, 2025

Version

v18.20.6

Platform

Linux 7c173fe85174 6.12.11-amd64 nodejs/node#1 SMP PREEMPT_DYNAMIC Debian 6.12.11-1 (2025-01-25) x86_64 GNU/Linux

Subsystem

npm

What steps will reproduce the bug?

docker run --rm -ti trivy image node:18 --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed

How often does it reproduce? Is there a required condition?

Always reproducible

What is the expected behavior? Why is that the expected behavior?

No CVE found

What do you see instead?

Node.js (node-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH     │ fixed  │ 7.0.3             │ 7.0.5, 6.0.6  │ cross-spawn: regular expression denial of service │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21538        │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Additional information

Upgrading npm package to 10.9.1 will fix the vulnerability, see npm/cli@029060c
Was done for main and v20 with nodejs/node#56135
@richardlau richardlau transferred this issue from nodejs/node Feb 4, 2025
@RafaelGSS
Copy link
Member

Duplicated of #193

@RafaelGSS RafaelGSS closed this as not planned Won't fix, can't repro, duplicate, stale Feb 4, 2025
@RafaelGSS RafaelGSS added dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model labels Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model v18.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KuSh @RafaelGSS @marco-ippolito