CVE-2022-25918

Regular Expression Denial of Service (ReDoS)

CVSS 5.3 MEDIUMEPSS 1.2%CWE-1333

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 1.2%KEV nãoPoC —Patch —

Lifecycle

27 Oct 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

n/a · shescape

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9 https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1 https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108