Next.js vendors vulnerable cross-spawn@7.0.3 (CVE-2024-21538) in dist/compiled

[MrLoh]

Link to the code that reproduces this issue

next.js/packages/next/package.json

Line 256 in 38c4caf

"cross-spawn": "7.0.3",

To Reproduce

1. yarn add next@latest
2. Inspect node_modules/next/dist/compiled/cross-spawn/package.json
3. Observe "version": "7.0.3"
4. Run trivy fs . → CVE-2024-21538 is reported.

Current vs. Expected behavior

When building a project with Next.js 15.3.2, the published package includes a vendored copy of cross-spawn@7.0.3 under: node_modules/next/dist/compiled/cross-spawn/package.json

This is pinned here:

next.js/packages/next/package.json

Line 256 in 38c4caf

"cross-spawn": "7.0.3",

This version is flagged as vulnerable with severity high:

• CVE-2024-21538
• Fixed in cross-spawn ≥ 7.0.5 (and in 6.0.6 for the 6.x line)

Because the vulnerable manifest is shipped inside next/dist/compiled, tools like Trivy and other SCA scanners report the CVE even if the app itself uses a patched version via resolutions.

Impact:

• Security scanners flag all images that include recent Next.js as vulnerable.
• Users cannot override the vendored copy with resolutions since it is compiled in.
• This blocks clean CI/CD pipelines in environments that require no known CVEs.

Expected behavior:

• Next.js should bump its vendored cross-spawn to a fixed release (≥7.0.5).
• Ideally the dist/compiled vendoring strategy should keep up with upstream security patches.

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.5.0: Tue Apr 22 19:52:00 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6031
  Available memory (MB): 36864
  Available CPU cores: 14
Binaries:
  Node: 20.19.0
  npm: 10.8.2
  Yarn: 1.22.22
  pnpm: 10.13.1
Relevant Packages:
  next: 15.5.2 // Latest available version is detected (15.5.2).
  eslint-config-next: 15.3.2
  react: 19.1.0
  react-dom: 19.1.0
  typescript: 5.8.3
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Not sure

Which stage(s) are affected? (Select all that apply)

next build (local)

Additional context

No response

[vmaineng]

Hello @MrLoh,

Thank you for raising this issue and for the clear context.

I can take this ticket and update the cross-spawn dependency to >=7.0.5 so it will no longer include the vulnerable version. Since this is strictly a dependency upgrade and doesn’t change behavior, I won’t be adding new tests. Existing integration tests will continue to cover usage.

Please let me know what your thoughts are.

Thanks!

[MrLoh]

Hi @vmaineng that sounds great. I just didn't have the time to raise a PR myself yet.

[MrLoh]

Apart from this fix. It might be worth raising internally if there is a better way to scan the vendored dependencies for vulnerabilities. This has been fixed for a year already.