CVE-2024-21538: 
JavaScript vulnerability analysis and mitigation

CVE-2024-21538 affects versions of the cross-spawn package before 7.0.5. The vulnerability was discovered on October 24, 2024, and publicly disclosed on November 8, 2024. This security issue is a Regular Expression Denial of Service (ReDoS) vulnerability that exists due to improper input sanitization in the package (NVD, Snyk JS).

The vulnerability exists in the package's input sanitization mechanism where a specially crafted string can cause catastrophic backtracking in regular expressions. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is categorized as CWE-1333 (Inefficient Regular Expression Complexity) (Snyk JS).

When exploited, this vulnerability can cause the program to experience significant CPU usage and potentially crash. The attack can be performed remotely and requires no special privileges or user interaction. While there is no impact on confidentiality or integrity, the availability of the system can be severely affected (Snyk JS).

The vulnerability has been fixed in version 7.0.5 of cross-spawn. Users are advised to upgrade to version 7.0.5 or higher to address this security issue. The fix involves modifying the regular expression patterns to disable backtracking and prevent the denial of service condition (GitHub Commit).

The vulnerability has been acknowledged by Red Hat and incorporated into their security advisories. Multiple Red Hat products have been updated to address this vulnerability, including Red Hat OpenShift Data Foundation and Red Hat OpenShift Service Mesh (Red Hat Advisory).