CVE-2022-25918

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
snykCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
shescape_projectshescape
1.5.10
shescape_projectshescape
1.6.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108