CVE-2022-36064

MEDIUM

Shescape - Inefficient Regular Expression Complexity

Title source: llm

Description

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

References (3)

[Exploit, Issue Tracking, Mitigation, Third Party Advisory] https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3

[Issue Tracking, Patch, Third Party Advisory] https://github.com/ericcornelissen/shescape/pull/373

[Release Notes, Third Party Advisory] https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10

Scores

CVSS v3 5.9

EPSS 0.0056

EPSS Percentile 68.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1333 CWE-400

Status published

Products (1)

shescape_project/shescape 1.5.1 - 1.5.10

Published Sep 06, 2022

Tracked Since Feb 18, 2026