Dependency update for cross-spawn, es5-ext, undici, jose, braces and tar (MINDBREEZE32874)
ID: MINDBREEZE32874
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS
Severity: 7.5 High
Status: Final
First published: April 28, 2025
CVEs: CVE-2024-21538, CVE-2024-27088, CVE-2023-24807, CVE-2024-28176, CVE-2024-4068, CVE-2024-28863
Summary
Updated dependencies to address security vulnerabilities:
cross-spawn (7.0.5) - CVE-2024-21538: fixed Regular Expression Denial of Service (ReDoS)
es5-ext (0.10.63) - CVE-2024-27088: Fixed function parsing
undici (5.28.5) - CVE-2023-24807 , CVE-2024-24750 : Fixed ReDoS vulnerability
jose (4.15.5) - CVE-2024-28176: Fixed JWE decompression vulnerability
braces (3.0.3) - CVE-2024-4068: Fixed memory exhaustion vulnerability
tar (6.2.1) - CVE-2024-28863: Fixed deep folder extraction
These updates improve security and stability.
Hotfix Information
Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
- Mindbreeze InSpire 25.2 Release
- Mindbreeze InSpire Saas 25.2 Release