CVE-2022-25918

Name of the Vulnerable Software and Affected Versions shescape versions 1.5.10 through 1.6.1

Description The issue is related to a Regular Expression Denial of Service (ReDoS) vulnerability via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. This affects users who use shescape to escape arguments for the Unix shell Bash or any not-officially-supported Unix shell, using the escape or escapeAll functions with the interpolation option set to true. An attacker can cause polynomial backtracking in terms of the input string length.

Recommendations For shescape versions 1.5.10 through 1.6.1, upgrade to version 1.6.1 to patch the vulnerability. As a temporary workaround, consider enforcing a maximum length on input strings to shescape to reduce the impact of the vulnerability.