CVE-2022-36064

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 1.5.10 Shescape version 1.5.9 for Bash

Description An Inefficient Regular Expression Complexity issue affects Shescape users who utilize it to escape arguments for Unix shells, including Bash and Dash, particularly when using the escape or escapeAll functions with the interpolation option set to true. This allows an attacker to cause polynomial backtracking or quadratic runtime in terms of the input string length due to vulnerable Regular Expressions. A workaround involves enforcing a maximum length on input strings to reduce the vulnerability's impact.

Recommendations For versions prior to 1.5.10, update to version 1.5.10 or later. For version 1.5.9 used with Bash, update to version 1.5.10 or later. As a temporary workaround, consider enforcing a maximum length on input strings to Shescape to minimize the risk of exploitation.