[bitnami/node] Security issue with cross-spawn < 7.0.5 (CVE-2024-21538)

[KuSh]

Name and Version

bitnami/node:18-debian-12 and bitnami/node:20-debian-12

What steps will reproduce the bug?

Scan the Node 18 or 20 images with any security tool, such as Trivy:

$ trivy image bitnami/node:18-debian-12 --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed
2025-01-10T10:43:02Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-10T10:43:14Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pip" version="23.3.2"
2025-01-10T10:43:14Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pip" version="24.3.1"
2025-01-10T10:43:14Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="virtualenv" version="20.27.1"
2025-01-10T10:43:14Z	INFO	Detected OS	family="debian" version="12.8"
2025-01-10T10:43:14Z	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=177
2025-01-10T10:43:14Z	INFO	Number of language-specific files	num=4
2025-01-10T10:43:14Z	INFO	[bitnami] Detecting vulnerabilities...
2025-01-10T10:43:14Z	INFO	[node-pkg] Detecting vulnerabilities...
2025-01-10T10:43:14Z	INFO	[python-pkg] Detecting vulnerabilities...
2025-01-10T10:43:14Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.

bitnami/node:18-debian-12 (debian 12.8)
=======================================
Total: 0 (HIGH: 0, CRITICAL: 0)

2025-01-10T10:43:14Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)
==================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH     │ fixed  │ 7.0.3             │ 7.0.5, 6.0.6  │ cross-spawn: regular expression denial of service │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21538        │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

What is the expected behavior?

We shouldn't get cross-spawn vulnerability, as it is fixed upstream.

What do you see instead?

We are getting cross-spawn vulnerability

Additional information

Upgrade the npm package to 10.9.2, see npm/cli@029060c

[carrodher]

I understand your concern regarding security vulnerabilities. In this case, you're inspecting CVEs for certain container images that haven't received updates since December 10th, as mentioned in this announcement.

Since then, only the latest version (NodeJS 22 in this case) has been updated in the Bitnami Catalog. As of now, no fixed CVEs have been reported for this version. Here’s the scan result for bitnami/node:22:

$ trivy image bitnami/node:22 --ignore-unfixed
2025-01-10T19:56:50+01:00	INFO	[vuln] Vulnerability scanning is enabled
2025-01-10T19:56:50+01:00	INFO	[secret] Secret scanning is enabled
2025-01-10T19:56:50+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-10T19:56:50+01:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-10T19:56:52+01:00	INFO	Detected OS	family="debian" version="12.8"
2025-01-10T19:56:52+01:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=177
2025-01-10T19:56:52+01:00	INFO	Number of language-specific files	num=4
2025-01-10T19:56:52+01:00	INFO	[bitnami] Detecting vulnerabilities...
2025-01-10T19:56:52+01:00	INFO	[python-pkg] Detecting vulnerabilities...
2025-01-10T19:56:52+01:00	INFO	[node-pkg] Detecting vulnerabilities...
2025-01-10T19:56:52+01:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.

bitnami/node:22 (debian 12.8)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

If you'd like to continue accessing up-to-date releases for other upstream-supported branches, such as NodeJS 18 or NodeJS 20, upgrading to Bitnami Premium would provide this benefit. For more information, please visit our partner Arrow Electronics.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.