The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
References
Link | Resource |
---|---|
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 | Broken Link |
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9 | Patch Third Party Advisory |
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1 | Release Notes Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108 | Exploit Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2022-10-27 03:15
Updated : 2022-10-28 12:41
NVD link : CVE-2022-25918
Mitre link : CVE-2022-25918
JSON object : View
CWE
Products Affected
shescape_project
- shescape