Description
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
Remediation
References
https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
Related Vulnerabilities
CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-syntax-html5
CVE-2018-11650 Vulnerability in maven package org.graylog2:graylog2-server
CVE-2020-28458 Vulnerability in maven package org.webjars.npm:datatables.net
CVE-2020-19676 Vulnerability in maven package com.alibaba.nacos:nacos-api
CVE-2021-33611 Vulnerability in maven package org.webjars.bowergithub.vaadin:vaadin-menu-bar