Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-25918

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

Published

2022-10-27T10:15:10.637

Last Modified

2025-05-05T19:15:53.727

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-1333
Type: Secondary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	shescape_project	shescape	1.5.10	Yes
Application	shescape_project	shescape	1.6.0	Yes

References

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 Broken Link ([email protected])
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9 Patch, Third Party Advisory ([email protected])
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1 Release Notes, Third Party Advisory ([email protected])
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108 Exploit, Patch, Third Party Advisory ([email protected])
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)