BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
SCHEDULE FIX Monitor
High severity, but exploitation requires specific conditions.
Monitor for patches. Assess if your usage matches the vulnerable pattern.

cross-spawn ReDoS

Regular expression denial of service in argument parsing

Severity CVSS HIGH 7.5
Exploitation Shoulder No known exploits
Fix available No patch yet
CVE-2024-21538 npm / cross-spawn

How to fix

Affected packages

npm cross-spawn

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2024-21538 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only LOW
Minimal risk in isolated dev environments.

Detection Rules 11 rules

CWE-1333 3 rules

Inefficient Regular Expression Complexity

Regular Expression Denial of Service
Regular Expression Denial of Service (ReDoS)
Regular Expression Denial of Service (ReDoS)
CWE-400 8 rules

Uncontrolled Resource Consumption

LLM Denial of Service
Missing Request Size Limits
Denial of Service via Resource Exhaustion

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index