CVE-2022-25918
MEDIUMshescape >=1.5.10 <1.6.1 - Regular Expression Denial of Service via escapeArgBash Function
Title source: llmDescription
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
References (4)
Core 4
Core References
Patch, Third Party Advisory
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
Release Notes, Third Party Advisory
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
Exploit, Patch, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
Scores
CVSS v3
5.3
EPSS
0.0125
EPSS Percentile
65.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (3)
npm/shescape
1.5.10 - 1.6.1npm
shescape_project/shescape
1.5.10
shescape_project/shescape
1.6.0
Published
Oct 27, 2022
Tracked Since
Feb 18, 2026