VDB
RHSA-2025%3A3368
RHSA-2025%3A3368
PUBLISHED
CVSS 4.400000095367432 MEDIUM
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.
Risk Scores
CVSS 3.1
4.400000095367432
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:8783f8aaed686a63ed1f913364c85606b1447540608f5b7f45412ff0868a4f38_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:2257fe7947959fd59346d2b322f7dbb471831880df659e57344b0d804c2c0099_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:2257fe7947959fd59346d2b322f7dbb471831880df659e57344b0d804c2c0099_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:8d78e6f1c302b1de6c45435a3d49c807fe5e4dbfe3e7a3d3ebfa0cac6318e79a_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:5394cd240a8857906803affec711959da8b8da4e9a7225ddaefe9736c98949b4_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:a0f72ffefb2b74b488dd949493f5d295a39bb9c97f578bf219d0138601f65468_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:4a7599f8a866eb169c9a62885906adbf6df0417c0be15857df1eef20cd9b1be2_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:4a7599f8a866eb169c9a62885906adbf6df0417c0be15857df1eef20cd9b1be2_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:2257fe7947959fd59346d2b322f7dbb471831880df659e57344b0d804c2c0099_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:2ba2b2c4db8bb334c50f4dfb54059f060361186900a44c06eed00b7a3c43977e_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:2ba2b2c4db8bb334c50f4dfb54059f060361186900a44c06eed00b7a3c43977e_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:c8456d98e90b6505957ab3686e9fd2f156e29f123c5558e581c206daf1e7d93a_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:c499a2c4a7860a1853adf3ebfbf154f3c03c478034a78566b82711373210af39_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:c499a2c4a7860a1853adf3ebfbf154f3c03c478034a78566b82711373210af39_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:d7d4fa406e0fcf0507894a7676532b27f45be742467e603a86f98ea5d2615df8_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:d7d4fa406e0fcf0507894a7676532b27f45be742467e603a86f98ea5d2615df8_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:96253b1b94bbaab87d4f8118dfee323eefebdc3734a7e01ebcf906dbc02a2a55_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:96253b1b94bbaab87d4f8118dfee323eefebdc3734a7e01ebcf906dbc02a2a55_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:f738aab1eab25854c93e1d8d4d98100a8ae7bb45a6b83f0326774e4220b1183b_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:52613c18ed44062b6e5d5b748572dad624f773a83dbc7251ff87a807142e118a_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:52613c18ed44062b6e5d5b748572dad624f773a83dbc7251ff87a807142e118a_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:96253b1b94bbaab87d4f8118dfee323eefebdc3734a7e01ebcf906dbc02a2a55_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
| Red Hat | registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:5394cd240a8857906803affec711959da8b8da4e9a7225ddaefe9736c98949b4_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:5394cd240a8857906803affec711959da8b8da4e9a7225ddaefe9736c98949b4_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:22557a6fa52d2f311750a9ba253860f423ba697d26efa02ef8524a8258d2a909_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:22557a6fa52d2f311750a9ba253860f423ba697d26efa02ef8524a8258d2a909_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:de5f91180ead7d73a1825fe8b032fde9b8b01392569c9789f5ce1b4b9c08a98f_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:de5f91180ead7d73a1825fe8b032fde9b8b01392569c9789f5ce1b4b9c08a98f_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:c8456d98e90b6505957ab3686e9fd2f156e29f123c5558e581c206daf1e7d93a_amd64 as a component of Red Hat OpenShift AI 2.16 | registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:c8456d98e90b6505957ab3686e9fd2f156e29f123c5558e581c206daf1e7d93a_amd64 |
| Red Hat | registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:be47d58f1943c5b4becc8cb541d9b0a53e6811451d9010c447b2c3e9b85c06c2_amd64 as a component of Red Hat OpenShift AI 2.16 | *, *, * |
…and 35 more
Timeline
- Mar 27, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2025:3368 advisory
- https://docs.redhat.com/en/documentation/red_hat_openshift_ai/ advisory
- https://access.redhat.com/security/cve/CVE-2024-21538 advisory
- https://access.redhat.com/security/cve/CVE-2024-45296 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://access.redhat.com/security/cve/CVE-2024-45339 advisory
- https://access.redhat.com/security/cve/CVE-2024-52798 advisory
- https://access.redhat.com/security/cve/CVE-2024-55565 advisory
- https://access.redhat.com/security/cve/CVE-2024-56171 advisory
- https://access.redhat.com/security/cve/CVE-2024-56201 advisory
- https://access.redhat.com/security/cve/CVE-2025-22150 advisory
- https://access.redhat.com/security/cve/CVE-2025-24928 advisory
- https://access.redhat.com/security/cve/CVE-2025-26791 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3368.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2324550 issue
- https://www.cve.org/CVERecord?id=CVE-2024-21538 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-21538 advisory
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff advisory
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f advisory
…and 67 more