CVE-2022-36064 is a vulnerability identified in the JavaScript package 'shescape', developed by ericcornelissen, which is used to safely escape shell arguments for Unix shells such as Bash and Dash. The vulnerability arises from inefficient regular expression complexity in two specific regular expressions used within the package. When the 'escape' or 'escapeAll' functions are invoked with the 'interpolation' option set to true, these regular expressions can exhibit polynomial or quadratic runtime relative to the input string length. This behavior leads to a Regular Expression Denial of Service (ReDoS) condition, where an attacker can supply crafted input strings that cause excessive CPU consumption due to backtracking in the regex engine. The affected versions are from 1.5.1 up to but not including 1.5.10, with the Dash shell-specific fix introduced in version 1.5.9 and a full patch in 1.5.10. The vulnerability does not require user authentication or interaction beyond supplying input to the vulnerable functions. No known exploits have been reported in the wild. As a mitigation, limiting the maximum length of input strings passed to shescape can reduce the risk, but attempting to detect malicious input patterns is discouraged since detection logic may itself be vulnerable to ReDoS. The root cause is classified under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption).

The primary impact of this vulnerability is a denial of service condition caused by excessive CPU consumption when processing specially crafted input strings. For European organizations using shescape in their JavaScript applications—particularly those that escape shell commands for Bash, Dash, or other Unix shells—this could lead to service degradation or outages if an attacker can influence input to the vulnerable functions. This is especially relevant for web services, automation scripts, or CI/CD pipelines that rely on shescape for shell command construction. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can disrupt business operations, cause delays, or trigger cascading failures in dependent systems. Given the widespread use of JavaScript and Unix shells in European IT environments, organizations with public-facing applications or internal tools that incorporate shescape are at risk. The absence of authentication requirements means that an attacker could exploit this vulnerability remotely if input vectors are exposed. However, since no exploits are currently known in the wild, the immediate risk is moderate but warrants prompt remediation to prevent potential abuse.

Upgrade all instances of the shescape package to version 1.5.10 or later, which contains the official patch for this vulnerability. If immediate upgrade is not feasible, implement input validation to enforce strict maximum length limits on strings passed to the 'escape' and 'escapeAll' functions with the 'interpolation' option enabled, thereby reducing the risk of triggering ReDoS. Avoid attempting to detect malicious input patterns for ReDoS, as such detection logic can itself be vulnerable to similar attacks. Review and audit all codebases and dependencies that utilize shescape, especially those that handle untrusted or user-supplied input, to identify and remediate vulnerable usage patterns. Implement runtime monitoring and alerting for abnormal CPU usage or performance degradation in services that use shescape, enabling early detection of potential exploitation attempts. Consider sandboxing or isolating processes that execute shell commands constructed via shescape to limit the impact of potential denial of service conditions. Engage in secure coding practices by minimizing reliance on complex regular expressions for input processing and prefer safer parsing methods where possible.