Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcjg0LXh2dzQtcXgzY84AAvio
Inefficient Regular Expression Complexity in shescape
Impact
This impacts users that use shescape to escape arguments:
- for the Unix shell Bash, or any not-officially-supported Unix shell;
- using the
escape
orescapeAll
functions with theinterpolation
option set totrue
.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape";
/* 1. Prerequisites */
const options = {
interpolation: true,
// and
shell: "/bin/bash",
// or
shell: "some-not-officially-supported-shell",
// or
shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};
/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking
/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
For more information
- Comment on commit 552e8ea
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcjg0LXh2dzQtcXgzY84AAvio
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00207
EPSS Percentile: 0.58737
Identifiers: GHSA-cr84-xvw4-qx3c, CVE-2022-25918
References:
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c
- https://nvd.nist.gov/vuln/detail/CVE-2022-25918
- https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
- https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52
- https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1
- https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108
- https://github.com/advisories/GHSA-cr84-xvw4-qx3c
Blast Radius: 10.9
Affected Packages
npm:shescape
Dependent packages: 15Dependent repositories: 28
Downloads: 13,419 last month
Affected Version Ranges: >= 1.5.10, < 1.6.1
Fixed in: 1.6.1
All affected versions: 1.5.10, 1.6.0
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1