CVE-2022-36064

2022-09-0621:15:08

CWE-400

CWE-1333

[email protected]

web.nvd.nist.gov

cve-2022-36064

shescape

javascript

shell escape

unix

bash

dash

regular expression complexity

redos

vulnerability

patch

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

54.4%

JSON

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells Bash and Dash, or any not-officially-supported Unix shell; and/or using the escape or escapeAll functions with the interpolation option set to true. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For Dash only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

Affected configurations

Vulners

NVD

Node

ericcornelissenshescapeRange1.5.1–1.5.10

CPENameOperatorVersion
shescape_project:shescapeshescape project shescapelt1.5.10

CPE	Name	Operator	Version
shescape_project:shescape	shescape project shescape	lt	1.5.10

CNA Affected

[
  {
    "product": "shescape",
    "vendor": "ericcornelissen",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.5.1, < 1.5.10"
      }
    ]
  }
]