CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
58.9%
This impacts users that use shescape to escape arguments:
escape
or escapeAll
functions with the interpolation
option set to true
.An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape";
/* 1. Prerequisites */
const options = {
interpolation: true,
// and
shell: "/bin/bash",
// or
shell: "some-not-officially-supported-shell",
// or
shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};
/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking
/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
github.com/ericcornelissen/shescape
github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
github.com/ericcornelissen/shescape/releases/tag/v1.6.1
github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c
nvd.nist.gov/vuln/detail/CVE-2022-25918
security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108