Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jcjg0LXh2dzQtcXgzY84AAvio

Inefficient Regular Expression Complexity in shescape

Impact

This impacts users that use shescape to escape arguments:

An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:

import * as shescape from "shescape";

/* 1. Prerequisites */
const options = {
  interpolation: true,
  // and
  shell: "/bin/bash",
  // or
  shell: "some-not-officially-supported-shell",
  // or
  shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};

/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking

/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);

Patches

This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.

Workarounds

Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

References

For more information

Permalink: https://github.com/advisories/GHSA-cr84-xvw4-qx3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcjg0LXh2dzQtcXgzY84AAvio
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00207
EPSS Percentile: 0.58737

Identifiers: GHSA-cr84-xvw4-qx3c, CVE-2022-25918
References: Repository: https://github.com/ericcornelissen/shescape
Blast Radius: 10.9

Affected Packages

npm:shescape
Dependent packages: 15
Dependent repositories: 28
Downloads: 13,419 last month
Affected Version Ranges: >= 1.5.10, < 1.6.1
Fixed in: 1.6.1
All affected versions: 1.5.10, 1.6.0
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1