Описание
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
Ссылки
- Broken Link
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- ExploitPatchThird Party Advisory
- Broken Link
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- ExploitPatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:shescape_project:shescape:1.5.10:*:*:*:*:node.js:*:*
cpe:2.3:a:shescape_project:shescape:1.6.0:*:*:*:*:node.js:*:*
EPSS
Процентиль: 44%
0.00217
Низкий
5.3 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-1333
CWE-1333
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
Inefficient Regular Expression Complexity in shescape
EPSS
Процентиль: 44%
0.00217
Низкий
5.3 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-1333
CWE-1333