Description

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

Remediation

References

https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52

https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9

https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1

https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108

Related Vulnerabilities

CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-syntax-html5

CVE-2018-11650 Vulnerability in maven package org.graylog2:graylog2-server

CVE-2020-28458 Vulnerability in maven package org.webjars.npm:datatables.net

CVE-2020-19676 Vulnerability in maven package com.alibaba.nacos:nacos-api

CVE-2021-33611 Vulnerability in maven package org.webjars.bowergithub.vaadin:vaadin-menu-bar

Severity

High

Classification

CWE-1333 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Broken Link Patch Third Party Advisory Release Notes Exploit