AIKIDO-2025-10154
detox is vulnerable to Regular Expression Denial of Service (ReDoS)
71
High Risk
This Affects:
detoxTL;DR
Affected versions of this package are vulnerable due to the use of a compromised dependency, as described in CVE-2024-21538. The issue arises from child-process-promise, which relies on an insecure version of cross-spawn. This has been addressed by migrating from the unmaintained child-process-promise to promisify-child-process, eliminating the transitive vulnerability in cross-spawn.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
detox is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 1.0.0 - 20.34.4.
How to fix this
Upgrade the detox library to the patch version.
Links
GitHub Release
Fix Commits
github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ffgithub.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant