Vulnerability Details CVE-2022-25918
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.4%
CVSS Severity
CVSS v3 Score 5.3
References
- https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
- https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
- https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
- https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
- https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
- https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
- https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
- https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
Products affected by CVE-2022-25918
-
cpe:2.3:a:shescape_project:shescape:1.5.10
-
cpe:2.3:a:shescape_project:shescape:1.6.0