Skip to content

[GHSA-3xgq-45jj-v275] Regular Expression Denial of Service (ReDoS) in cross-spawn #6483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aprendis543 wants to merge 1 commit into
base: aprendis543/advisory-improvement-6483
Choose a base branch
from
Open

[GHSA-3xgq-45jj-v275] Regular Expression Denial of Service (ReDoS) in cross-spawn #6483

aprendis543 wants to merge 1 commit into from
+2 −6

Conversation

@aprendis543
Copy link

@aprendis543 aprendis543 commented Nov 30, 2025

Updates

  • CVSS v3
  • CVSS v4
  • Severity

Comments
sha256:4232e547f04af7f5c9f6e873d56dd740caae50a20f95146e63082b7fb15de803

@github-actions github-actions bot changed the base branch from main to aprendis543/advisory-improvement-6483 November 30, 2025 02:23
@yhidad31
Copy link

yhidad31 commented Dec 2, 2025

Hi @aprendis543, I see your CVSS 3.0 and 4.0 suggestions: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and the removal of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P. Can you explain the rationale for changing the scores, or link to analysis/supporting references? If you'd like, we can run this through the CVSS calculator and reevaluate if we agree. In addition, please link to the SHA reference as we did not find it in the node-cross-spawn repository.

@github-actions
Copy link

github-actions bot commented Dec 18, 2025

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aprendis543 @yhidad31