Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in Dependencies: cross-spawn 7.0.3 and braces < 3.0.3 #3741

Open
MayorFaj opened this issue Mar 11, 2025 · 6 comments
Open

Security Vulnerabilities in Dependencies: cross-spawn 7.0.3 and braces < 3.0.3 #3741

MayorFaj opened this issue Mar 11, 2025 · 6 comments
Labels
bug Something isn't working

Comments

@MayorFaj
Copy link

Security Vulnerabilities in Dependencies: cross-spawn 7.0.3 and braces < 3.0.3

Describe the bug
The GitHub Actions runner (v2.322.0) contains two high-severity dependencies with known security vulnerabilities:

  1. cross-spawn 7.0.3 - Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2024-21538)
  2. braces < 3.0.3 - Memory Exhaustion vulnerability (CVE-2024-4068)

These vulnerabilities are being detected by image scanners and causing security scans to fail in our CI/CD pipelines.

To Reproduce

  1. Run security scanning tools (like Snyk, OWASP dependency check, etc.) against GitHub Actions runner v2.322.0
  2. Observe that the vulnerabilities are flagged:
  3. The security scan fails, blocking the pipeline

Expected behavior
The dependencies should be updated to their fixed versions:

  • cross-spawn should be updated to 7.0.5+
  • braces should be updated to 3.0.3+

Runner Version and Platform

  • Runner version: v2.322.0
  • This affects all platforms (OSX/Windows/Linux) as these are JavaScript dependencies

What's not working?

Security scans are failing due to these high-severity vulnerabilities, causing our deployment pipelines to halt at security gates. Our organization's security policy requires remediating high-severity vulnerabilities before deployment.

Vulnerability Details

cross-spawn (CVE-2024-21538):
Versions before 7.0.5 are vulnerable to Regular Expression Denial of Service due to improper input sanitization. An attacker can increase CPU usage and crash the program by crafting a large, well-crafted string.
References:

braces (CVE-2024-4068):
Versions prior to 3.0.3 fail to limit the number of characters it can handle, leading to Memory Exhaustion. If a malicious user sends "imbalanced braces" as input, the parsing enters a loop that allocates heap memory without freeing it, eventually causing the program to crash.
References:
@MayorFaj MayorFaj added the bug Something isn't working label Mar 11, 2025
@MayorFaj
Copy link
Author

I am currently woking on bumping the version to the stable and latest version

@MayorFaj
Copy link
Author

I've submitted a fix for these vulnerabilities in PR#3743, which updates both cross-spawn to v7.0.6 and braces to v3.0.3.

@Blizter
Copy link
Contributor

Blizter commented Mar 13, 2025
edited
Loading

Hello @MayorFaj ,

I am also getting an additional Dependency error, would you like me to Open an issue for this one as well?

Image

@MayorFaj
Copy link
Author

@Blizter the vulns are in the dependencies of the docker-buildx version used in the docker image.

@Blizter
Copy link
Contributor

Blizter commented Mar 14, 2025

Thank you @MayorFaj
I opened a PR to bump up Docker and Buildx versions : #3750

@MayorFaj MayorFaj mentioned this issue Mar 14, 2025
Closed
@theGameChangerDev
Copy link

Package-Path: /actions-runner/externals/node20/lib/node_modules/cross-spawn/package.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Blizter @MayorFaj @theGameChangerDev