Incorrect version dectection for cross-spawn node module

[shadows552]

IDs

CVE-2024-21538

Description

I have cross-spawn 7.0.6 in my package.json, though Trivy is detecting cross-spawn 7.0.3 as my installed version. (I tried to figure the stuff out about interlaced dependencies and as far as I can tell that isn't the issue here? but I'm not confident)

Also, .trivyignore only works for this vulnerability when running Trivy locally, though when using .trivyignore in GitHub actions, the .trivyignore is loaded, but ignored.

Reproduction Steps

Local:
1. run npm install
2. Build docker image without cache
3. run "trivy image --severity CRITICAL,HIGH --ignore-unfixed --scanners vuln bbf-backend:latest"

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy image --severity CRITICAL,HIGH --ignore-unfixed --scanners vuln bbf-backend:latest --debug

2025-11-18T23:13:55-06:00       DEBUG   Parsed severities       severities=[CRITICAL HIGH]
2025-11-18T23:13:55-06:00       DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2025-11-18T23:13:56-06:00       DEBUG   Cache dir       dir="/home/rt552/snap/trivy/276/.cache/trivy"
2025-11-18T23:13:56-06:00       DEBUG   DB update was skipped because the local DB is the latest
2025-11-18T23:13:56-06:00       DEBUG   DB info schema=2 updated_at=2025-11-19T00:35:34.721429525Z next_update=2025-11-20T00:35:34.721429305Z downloaded_at=2025-11-19T05:13:37.613143813Z
2025-11-18T23:13:56-06:00       INFO    Vulnerability scanning is enabled
2025-11-18T23:13:56-06:00       DEBUG   Vulnerability type      type=[os library]
2025-11-18T23:13:56-06:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-11-18T23:13:56-06:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2025-11-18T23:13:56-06:00       DEBUG   [image] Detected image ID       image_id="sha256:40e30a2a089bc2bef9cfd6bf83e459b290fd603b9bbad706b599dfe3f8612118"
2025-11-18T23:13:56-06:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:994456c4fd7b2b87346a81961efb4ce945a39592d32e0762b38768bca7c7d085 sha256:ba46b55040aa263bd050523d27cea66f1b7c35bca5bb84b3fb0c34c168747813 sha256:2224f7db3398557ff0f3373b228f29aa94649941bc286eeab2d91cf5ea60d0ea sha256:dfc00069e787a564c9e591588929985b84e0715602ae082a8fb25dbcc965d9d6 sha256:aff722580bb92454654f0b844b5d32ce32ec78f32dfe63caf256842c527a7c3a sha256:17c8b2be174d50f531ffc98630fb12424fff67e32dc925d99235827fff9719a8 sha256:dbea65b70db211987b31f5bca3d60d366da00e08a2d4aabe9e3ca880027dd677 sha256:0407411468321652a36fa000a048d3d617254da19e93668791aff70194364d1c sha256:6f1f12a2110e4c8f2517464576c7ed766dceed6e3295236b36a7666af098b08a]
2025-11-18T23:13:56-06:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:994456c4fd7b2b87346a81961efb4ce945a39592d32e0762b38768bca7c7d085 sha256:ba46b55040aa263bd050523d27cea66f1b7c35bca5bb84b3fb0c34c168747813 sha256:2224f7db3398557ff0f3373b228f29aa94649941bc286eeab2d91cf5ea60d0ea sha256:dfc00069e787a564c9e591588929985b84e0715602ae082a8fb25dbcc965d9d6]
2025-11-18T23:13:56-06:00       INFO    Detected OS     family="alpine" version="3.20.6"
2025-11-18T23:13:56-06:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=16
2025-11-18T23:13:56-06:00       INFO    Number of language-specific files       num=1
2025-11-18T23:13:56-06:00       INFO    [node-pkg] Detecting vulnerabilities...
2025-11-18T23:13:56-06:00       DEBUG   [node-pkg] Scanning packages for vulnerabilities        file_path=""

bbf-backend:latest (alpine 3.20.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2025-11-18T23:13:56-06:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH     │ fixed  │ 7.0.3             │ 7.0.5, 6.0.6   │ cross-spawn: regular expression denial of service         │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-21538                │
├────────────────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ glob (package.json)        │ CVE-2025-64756 │          │        │ 10.4.2            │ 11.1.0, 10.5.0 │ glob CLI: Command injection via -c/--cmd executes matches │
│                            │                │          │        │                   │                │ with shell:true                                           │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-64756                │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Version

Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-19 00:35:34.721429525 +0000 UTC
  NextUpdate: 2025-11-20 00:35:34.721429305 +0000 UTC
  DownloadedAt: 2025-11-19 05:19:25.136699979 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[shadows552]

In all honesty I'm a bit out of my depth so please be patient with my sub-optimal bug reporting skills. My apologies in advance if I ran into a fixable issue that isn't a bug.

[DmitriyLewen]

Hello @shadows552
It’s possible that Trivy is finding a different package.json file with 7.0.3 version.

Try scanning the image with the -f json flag and check the PkgPath field for this vulnerability.

Regards, Dmitriy

[shadows552]

That was indeed the issue. Thank you so much, I appreciate the patient response!