Lucene search
SnykCVELIST:CVE-2022-25918HistoryOct 27, 2022 - 5:05 a.m.
CVE-2022-25918 Regular Expression Denial of Service (ReDoS)
2022-10-2705:05:09
snyk
www.cve.org
1
package shescape
redos
escape function
index.js
insecure regex
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
0.002
Percentile
58.9%
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
CNA Affected
[
{
"vendor": "n/a",
"product": "shescape",
"versions": [
{
"version": "1.5.10",
"status": "affected",
"lessThan": "unspecified",
"versionType": "custom"
},
{
"version": "unspecified",
"lessThan": "1.6.1",
"status": "affected",
"versionType": "custom"
}
]
}
]Related
nvd
nvd
CVE-2022-25918
2022-10-27 10:15:10
osv
osv
Inefficient Regular Expression Complexity in shescape
2022-10-25 22:27:32
CVE-2022-25918
2022-10-27 10:15:10
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-10-28 05:35:07
prion
prion
Code injection
2022-10-27 10:15:00
github
github
Inefficient Regular Expression Complexity in shescape
2022-10-25 22:27:32
cve
cve
CVE-2022-25918
2022-10-27 10:15:10
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
0.002
Percentile
58.9%
Related for CVELIST:CVE-2022-25918