1.6.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

shescape-project

NVD

Published: 2022-10-27

Updated: 2024-11-21

Summary

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

Vulnerable Configurations

Part	Description	Count
Application	Shescape_Project Shescape Project Shescape 1.5.10 Shescape Project Shescape 1.6.0	2

References

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108