Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

atlassian_confluence CONFSERVER-101477: DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-37890

atlassian_confluence CONFSERVER-101488: SSRF (Server-Side Request Forgery) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282

atlassian_confluence CONFSERVER-101485: Improper Authorization Third-Party Dependency in Confluence Data Center and Server - CVE-2025-41248

atlassian_confluence CONFSERVER-101480: DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-45296

atlassian_confluence CONFSERVER-101487: Prototype Pollution Third-Party Dependency in Confluence Data Center and Server - CVE-2022-46175

atlassian_confluence CONFSERVER-101486: DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282

The remote NewStart CGSL host, running version MAIN 7.02, has nodejs packages installed that are affected by a vulnerability:

  - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular     Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU     usage and crash the program by crafting a very large and well crafted string. (CVE-2024-21538)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular     Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU     usage and crash the program by crafting a very large and well crafted string. (CVE-2024-21538)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of nodejs / nodejs18 / reaper installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21538 advisory.

  - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular     Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU     usage and crash the program by crafting a very large and well crafted string. (CVE-2024-21538)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-795 advisory.

    Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service     (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program     by crafting a very large and well crafted string. (CVE-2024-21538)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-796 advisory.

    Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service     (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program     by crafting a very large and well crafted string. (CVE-2024-21538)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4286-1 advisory.

    - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856)

    Other fixes:
    - Updated to 20.18.1:
      * Experimental Network Inspection Support in Node.js
      * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext
      * New option for vm.createContext() to create a context with a         freezable globalThis
      * buffer: optimize createFromString
    - Changes in 20.17.0:
      * module: support require()ing synchronous ESM graphs
      * path: add matchesGlob method
      * stream: expose DuplexPair API
    - Changes in 20.16.0:
      * process: add process.getBuiltinModule(id)
      * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth
      * buffer: add .bytes() method to Blob

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4300-1 advisory.

    - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856)

    Other fixes:
    - Updated to 20.18.1:
      * Experimental Network Inspection Support in Node.js
      * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext
      * New option for vm.createContext() to create a context with a         freezable globalThis
      * buffer: optimize createFromString
    - Changes in 20.17.0:
      * module: support require()ing synchronous ESM graphs
      * path: add matchesGlob method
      * stream: expose DuplexPair API
    - Changes in 20.16.0:
      * process: add process.getBuiltinModule(id)
      * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth
      * buffer: add .bytes() method to Blob

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4301-1 advisory.

    - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856)

    Other fixes:
    - Update to 18.20.5
      * esm: mark import attributes and JSON module as stable
      * deps:
        - upgrade npm to 10.8.2
        - update simdutf to 5.6.0
        - update brotli to 1.1.0
        - update ada to 2.8.0
        - update acorn to 8.13.0
        - update acorn-walk to 8.3.4
        - update c-ares to 1.29.0

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2024:4272-1 advisory.

    - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856)

    - Update to 18.20.5
      * esm: mark import attributes and JSON module as stable
      * deps:
        + upgrade npm to 10.8.2         + update simdutf to 5.6.0         + update brotli to 1.1.0         + update ada to 2.8.0         + update acorn to 8.13.0         + update acorn-walk to 8.3.4         + update c-ares to 1.29.0

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of nodejs / nodejs18 / reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21538 advisory.

  - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular     Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU     usage and crash the program by crafting a very large and well crafted string. (CVE-2024-21538)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
274076	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : aws-cli, local-npm-registry, python-boto3, python-botocore, python-coverage, python-flaky, python-pluggy, python-pytest, python-pytest-cov, python-pytest-html, python-pytest-metadata, python-pytest-mock (SUSE-SU-2025:3744-1)	Nessus	SuSE Local Security Checks	critical
271281	NewStart CGSL MAIN 7.02 : nodejs Vulnerability (NS-SA-2025-0245)	Nessus	NewStart CGSL Local Security Checks	high
228288	Linux Distros Unpatched Vulnerability : CVE-2024-21538	Nessus	Misc.	high
215614	Azure Linux 3.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-21538)	Nessus	Azure Linux Local Security Checks	high
213677	Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2025-795)	Nessus	Amazon Linux Local Security Checks	high
213672	Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2025-796)	Nessus	Amazon Linux Local Security Checks	high
212739	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:4286-1)	Nessus	SuSE Local Security Checks	high
212733	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:4300-1)	Nessus	SuSE Local Security Checks	high
212729	SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:4301-1)	Nessus	SuSE Local Security Checks	high
212323	SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2024:4272-1)	Nessus	SuSE Local Security Checks	high
211746	CBL Mariner 2.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-21538)	Nessus	MarinerOS Local Security Checks	high

Detections

Analytics

CVE-2024-21538

high

Tenable Plugins

Coming Soon

critical

high

high

high

high

high

high

high

high

high

high