Skip to main content

CVE-2022-25918: Regular Expression Denial of Service (ReDoS) in shescape

Medium
VulnerabilityCVE-2022-25918cvecve-2022-25918
Published: Thu Oct 27 2022 (10/27/2022, 05:05:09 UTC)
Source: CVE
Vendor/Project: n/a
Product: shescape

Description

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

AI-Powered Analysis

AILast updated: 07/06/2025, 20:41:00 UTC

Technical Analysis

CVE-2022-25918 is a vulnerability classified as a Regular Expression Denial of Service (ReDoS) affecting the 'shescape' package, specifically versions up to 1.5.10 and before 1.6.1. The issue arises from the use of an insecure regular expression in the escapeArgBash function within the escape function in index.js. This insecure regex can be exploited by an attacker to cause excessive backtracking during pattern matching, leading to significant CPU resource consumption and effectively causing a denial of service condition. The vulnerability does not impact confidentiality or integrity but affects availability by allowing an attacker to slow down or crash applications that rely on the vulnerable version of shescape. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack can be launched remotely without authentication or user interaction, and requires low attack complexity. The vulnerability is relevant to any software or system that uses the shescape package for shell argument escaping, which is common in JavaScript/Node.js environments that interact with shell commands. No known exploits are reported in the wild, and no official patches are linked in the provided data, but upgrading to versions after 1.6.1 is implied to resolve the issue.

Potential Impact

For European organizations, the impact of CVE-2022-25918 depends on their use of the shescape package within their software stacks, particularly in Node.js applications that execute shell commands. Exploitation could lead to denial of service conditions, causing application slowdowns or crashes, potentially disrupting business operations, automated workflows, or critical services. This is particularly concerning for organizations relying on cloud services, CI/CD pipelines, or internal tooling that may use vulnerable versions of shescape. While the vulnerability does not expose sensitive data or allow code execution, the availability impact can lead to operational downtime and increased incident response costs. Organizations in sectors with high availability requirements, such as finance, healthcare, and critical infrastructure, may face reputational damage and compliance risks if service disruptions occur. Additionally, the medium severity score suggests that while the threat is not critical, it should not be ignored, especially in environments where resource exhaustion can cascade into broader system failures.

Mitigation Recommendations

European organizations should perform a thorough inventory of their software dependencies to identify any usage of the shescape package, particularly versions 1.5.10 and earlier. Immediate mitigation involves upgrading to version 1.6.1 or later, where the insecure regex issue is resolved. If upgrading is not immediately feasible, organizations can implement input validation and sanitization to limit the complexity and length of inputs passed to the escapeArgBash function, reducing the risk of triggering the ReDoS condition. Additionally, applying runtime resource limits (such as CPU and memory quotas) on processes that invoke shell commands can help contain the impact of potential exploitation. Monitoring application logs and performance metrics for unusual spikes in CPU usage or slowdowns related to shell command execution can provide early detection of exploitation attempts. Incorporating fuzz testing and static analysis tools focused on regular expression vulnerabilities into the development lifecycle can prevent similar issues in the future.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
snyk
Date Reserved
2022-02-24T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981dc4522896dcbdaf8b

Added to database: 5/21/2025, 9:08:45 AM

Last enriched: 7/6/2025, 8:41:00 PM

Last updated: 7/26/2025, 8:04:20 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats