Lucene search
HistoryOct 27, 2022 - 10:15 a.m.
CVE-2022-25918
cve-2022-25918
shescape
regular expression denial of service
redos
index.js
escape function
insecure regex
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
59.0%
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
Affected configurations
Node
shescape_projectshescapeMatch1.5.10node.js
ORshescape_projectshescapeMatch1.6.0node.js
CNA Affected
[
{
"vendor": "n/a",
"product": "shescape",
"versions": [
{
"version": "1.5.10",
"status": "affected",
"lessThan": "unspecified",
"versionType": "custom"
},
{
"version": "unspecified",
"lessThan": "1.6.1",
"status": "affected",
"versionType": "custom"
}
]
}
]References
Social References
More
Related
nvd
nvd
CVE-2022-25918
2022-10-27 10:15:10
cvelist
cvelist
CVE-2022-25918 Regular Expression Denial of Service (ReDoS)
2022-10-27 00:00:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-10-28 05:35:07
github
github
Inefficient Regular Expression Complexity in shescape
2022-10-25 22:27:32
prion
prion
Code injection
2022-10-27 10:15:00
osv
osv
CVE-2022-25918
2022-10-27 10:15:10
Inefficient Regular Expression Complexity in shescape
2022-10-25 22:27:32
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
59.0%
Related for CVE-2022-25918