CVE-2024-21538 in latest Node v18 #200
Description
Version
v18.20.6
Platform
Linux 7c173fe85174 6.12.11-amd64 nodejs/node#1 SMP PREEMPT_DYNAMIC Debian 6.12.11-1 (2025-01-25) x86_64 GNU/Linux
Subsystem
npm
What steps will reproduce the bug?
docker run --rm -ti trivy image node:18 --scanners vuln --severity HIGH,CRITICAL --ignore-unfixedHow often does it reproduce? Is there a required condition?
Always reproducible
What is the expected behavior? Why is that the expected behavior?
No CVE found
What do you see instead?
Node.js (node-pkg)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH │ fixed │ 7.0.3 │ 7.0.5, 6.0.6 │ cross-spawn: regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘Additional information
Upgrading npm package to 10.9.1 will fix the vulnerability, see npm/cli@029060c
Was done for main and v20 with nodejs/node#56135