Headline
CVE-2022-36064: Release Release v1.5.10 · ericcornelissen/shescape
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells Bash and Dash, or any not-officially-supported Unix shell; and/or using the escape or escapeAll functions with the interpolation option set to true. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For Dash only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
Compare
Choose a tag to compare
Latest
Latest
github-actions released this
v1.5.10
This tag was signed with the committer’s verified signature.
ericcornelissen Eric Cornelissen
GPG key ID: 76670872666D0F19
Learn about vigilant mode.
656ecbc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23
Learn about vigilant mode.
Compare
Choose a tag to compare
- Fix potential polynomial backtracking in regular expression for Bash escaping with {interpolation:true}. (#373)
- Fix potential quadratic runtime regular expressions for Bash escaping with {interpolation:true}. (#373)