Rongchen Li

**Name of the Vulnerable Software and Affected Versions** pacote versions 11.2.7 and later **Description** A Regular Expression Denial of Service (ReDoS) exists in the `addGitSha()` function. An attacker can cause excessive CPU consumption, potentially stalling or crashing the process, by providing a specially crafted `spec.rawSpec` value. This occurs when the function's regex replacement and string-manipulation logic are triggered, pinning a CPU core. The issue is reachable by unauthenticated users wherever the library consumes user-controlled package specifications. **Recommendations** As a temporary mitigation, validate package specifications before passing them to the library. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** @eslint/plugin-kit versions prior to 0.2.3 **Description** The issue is related to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability. Crafting a very large and well-crafted string can also increase the CPU usage and crash the program. **Recommendations** For versions prior to 0.2.3, update to version 0.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the input size to prevent large strings from being processed by the ConfigCommentParser function. Avoid using the ConfigCommentParser function with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cross-spawn versions prior to 7.0.5 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) in the cross-spawn package. This occurs due to improper input sanitization, allowing an attacker to craft a large and well-crafted string that can increase CPU usage and crash the program. The exploitation of this issue can lead to a denial of service. **Recommendations** For versions prior to 7.0.5, update to version 7.0.5 or later to resolve the issue. As a temporary workaround, consider restricting input to prevent large and maliciously crafted strings from being processed.