CVE-2022-25918

Published: Oct 27, 2022Modified: May 5, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

Affected (2)

Products: Shescape Project: Shescape

Shescape Project

1 product

Shescape

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Shescape Project Shescape	Version 1.5.10
Shescape Project Shescape	Version 1.6.0

Related CWEs

CWE-1333

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References (8)

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52

Source: report@snyk.io

Broken Link

https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9

Source: report@snyk.io

PatchThird Party Advisory

https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1

Source: report@snyk.io

Release NotesThird Party Advisory

https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108

Source: report@snyk.io

ExploitPatchThird Party Advisory

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.