Cross-spawn vulnerabilitiy in 4.1.0 docker image

Great to see the v4.1.0 being released! We’ve been testing with it and have pulled it into one of our staging environments. I do see an older CVE popping up related to the npm/cross-spawn v7.0.3, I think this must be related to one of the underlying npm packages in the node version? Any thoughts on how this could be patched or if the team is aware?

After pulling in the docker file I have tried a few things to try to update the version, but I haven’t been successful yet. Any help would be appreciated. Thanks.

docker-vuln-cross-spawn1170×996 70.9 KB

What docker image are you using?

A clean npm install of node-red does not include cross-spawn:

[nol@nol-air 4.1.0]$ npm list cross-spawn
4.1.0@1.0.0 /Users/nol/code/node-red/archive/4.1.0
└── (empty)

Similarly, the nodered/node-red:latest container doesn’t include it:

$ docker exec -it nr410 npm list cross-spawn
node-red-docker@4.1.0 /usr/src/node-red
`-- (empty)

I do see it in the dev dependency tree of the main node-red git repo; but that isn’t what gets published to npm, or that we build our images with.

Moments after replying, I spotted the path in the screenshot you shared. Sure enough, its a dependency of npm

 $ npm list cross-spawn
/usr/local/lib
`-- npm@10.8.2 extraneous
  +-- cross-spawn@7.0.3 extraneous
  `-- foreground-child@3.2.1 extraneous
    `-- cross-spawn@7.0.3 deduped

The container is based on the current Node LTS release - 20.19.4, which bundles npm 10.8.2.

We either need to wait for them to do a fix release to update their dependency on npm, or we may need to look at updating npm as built of our container build.

Thank Nick, that’s understandable and thanks for the quick reply.

For the record - I am pulling in the image tagged with 4.1.0 (link)

FROM nodered/node-red:4.1.0

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.