The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
References
Link | Resource |
---|---|
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 | Broken Link |
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9 | Patch Third Party Advisory |
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1 | Release Notes Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108 | Exploit Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2022-10-27T00:00:00
Updated: 2022-10-27T00:00:00
Reserved: 2022-02-24T00:00:00
Link: CVE-2022-25918
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-10-27T10:15:10.637
Modified: 2023-08-08T14:22:24.967
Link: CVE-2022-25918
JSON object: View
Redhat Information
No data.
CWE