Fix cross-spawn CVE-2024-21538 — ReDoS Vulnerability | PackageFix

Q: How do I fix cross-spawn if it is not in my package.json?

cross-spawn is almost always a transitive dependency — you did not install it directly. Use npm overrides to force the safe version: add {"overrides": {"cross-spawn": "7.0.5"}} to your package.json. Then run npm install. PackageFix generates this overrides block automatically when it detects a vulnerable cross-spawn.

Q: Which packages pull in cross-spawn?

cross-spawn is a dependency of jest, eslint, webpack, create-react-app, vite, npm itself, and thousands of other tools. Most Node.js projects have it several times over at various depths in their dependency tree. Run npm ls cross-spawn to see all the paths.

Q: Is the cross-spawn ReDoS exploitable in production?

It depends on whether user-controlled input reaches the cross-spawn argument() function. In most applications cross-spawn is used for running build tools and CLI commands — not for processing user input. The risk is lower for production web apps and higher for CLI tools or build systems that process user-supplied arguments. Updating is still the right call.

Q: Does npm audit fix update cross-spawn automatically?

Sometimes. If the parent package has released a version using cross-spawn 7.0.5+, npm audit fix will update it. If the parent has not updated yet, npm audit fix will report 'no fix available' — that is when you need the npm overrides approach.

Q: What is the difference between cross-spawn and child_process.spawn?

Node.js has a built-in child_process.spawn but it has inconsistent behavior on Windows. cross-spawn wraps it to provide consistent cross-platform behavior. That is why it appears in so many tools — anything that runs CLI commands on both Linux/Mac and Windows tends to use it.

Last updated: April 1, 2026 · Data: OSV Database

Updated April 1, 2026 · HIGH · CVSS 7.5 · Safe version: 7.0.5

cross-spawn has a high-severity ReDoS vulnerability (CVE-2024-21538) affecting all versions below 7.0.5. With 148 million weekly downloads, it is almost always a transitive dependency — you probably have it without knowing. Fix: npm overrides forcing 7.0.5.

CVE-2024-21538 Details

Field	Value
CVE ID	CVE-2024-21538
Severity	HIGH CVSS 7.5
Type	ReDoS — Regular Expression Denial of Service
Affected	cross-spawn < 6.0.6 and cross-spawn 7.0.0–7.0.4
Safe versions	6.0.6+ or 7.0.5+
Disclosed	November 8, 2024
CISA KEV	No

What is the vulnerability?

cross-spawn uses a regular expression to escape arguments when spawning child processes. The regex has catastrophic backtracking behavior — a crafted string with many backslashes followed by a specific Unicode character causes the CPU to spike to 100% and the process to hang indefinitely. This is a classic ReDoS pattern.

The vulnerable code is in cross-spawn/lib/util/escape.js in the argument() function. The fix in 7.0.5 disables regexp backtracking entirely for this case.

Am I affected?

# Check if cross-spawn is in your tree
npm ls cross-spawn

# Check the version specifically
npm ls cross-spawn | grep cross-spawn

# If you see any version below 7.0.5, you are affected

Typical output showing the problem

my-app@1.0.0
├── jest@29.7.0
│   └── cross-spawn@7.0.3  <-- VULNERABLE
└── eslint@8.57.0
    └── cross-spawn@7.0.3  <-- VULNERABLE

Fix: npm overrides

cross-spawn is almost always a transitive dependency. The fix is to add an npm override that forces all packages to use the safe version.

Fix

// package.json
{
  "dependencies": {
    "jest": "^29.7.0",
    "eslint": "^8.57.0"
  },
  "overrides": {
    "cross-spawn": "7.0.5"
  }
}

# After adding the override, reinstall
npm install

# Verify the fix
npm ls cross-spawn
# All instances should now show 7.0.5

# Confirm npm audit is clean
npm audit

Why cross-spawn is everywhere

cross-spawn solves a real problem: Node.js's built-in child_process.spawn has inconsistent behavior on Windows. Argument escaping works differently, paths with spaces break, and certain characters cause issues. cross-spawn wraps the built-in to provide consistent cross-platform behavior.

This is why virtually every tool that runs CLI commands uses it — jest, eslint, webpack, vite, create-react-app, npm itself. Most Node.js projects have it 5-15 times over at various depths. The 148 million weekly downloads are almost entirely transitive.

PackageFix detects this automatically

Paste your package-lock.json into PackageFix. It scans the full lockfile including transitive packages, flags cross-spawn below 7.0.5, and generates the exact overrides block above.

Paste your lockfile — PackageFix finds cross-spawn vulnerabilities in your full dependency tree.

Scan with PackageFix →

Free · No signup · Paste package-lock.json for transitive scan

Common questions

How do I fix cross-spawn if it is not in my package.json?