Amazon Linux 2023: CVE-2024-21538: Medium priority package update for nodejs20 (Multiple Advisories)

Amazon Linux 2023: CVE-2024-21538: Medium priority package update for nodejs20 (Multiple Advisories)

Severity

4

CVSS

(AV:L/AC:H/Au:S/C:N/I:N/A:C)

Published

11/08/2024

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.

Solution(s)

• amazon-linux-2023-upgrade-nodejs
• amazon-linux-2023-upgrade-nodejs20
• amazon-linux-2023-upgrade-nodejs20-debuginfo
• amazon-linux-2023-upgrade-nodejs20-debugsource
• amazon-linux-2023-upgrade-nodejs20-devel
• amazon-linux-2023-upgrade-nodejs20-docs
• amazon-linux-2023-upgrade-nodejs20-full-i18n
• amazon-linux-2023-upgrade-nodejs20-libs
• amazon-linux-2023-upgrade-nodejs20-libs-debuginfo
• amazon-linux-2023-upgrade-nodejs20-npm
• amazon-linux-2023-upgrade-nodejs-debuginfo
• amazon-linux-2023-upgrade-nodejs-debugsource
• amazon-linux-2023-upgrade-nodejs-devel
• amazon-linux-2023-upgrade-nodejs-docs
• amazon-linux-2023-upgrade-nodejs-full-i18n
• amazon-linux-2023-upgrade-nodejs-libs
• amazon-linux-2023-upgrade-nodejs-libs-debuginfo
• amazon-linux-2023-upgrade-nodejs-npm
• amazon-linux-2023-upgrade-v8-10-2-devel
• amazon-linux-2023-upgrade-v8-11-3-devel

References

• https://attackerkb.com/topics/cve-2024-21538
• CVE - 2024-21538
• https://alas.aws.amazon.com/AL2023/ALAS-2025-795.html
• https://alas.aws.amazon.com/AL2023/ALAS-2025-796.html