What is CVE-2022-36064?

CVE-2022-36064 is a vulnerability that affects the Shescape shell escape package for JavaScript.

What software is affected by CVE-2022-36064?

The Shescape package with versions between 1.5.1 and 1.5.10 in the Node.js environment is affected by CVE-2022-36064.

How does CVE-2022-36064 impact users?

CVE-2022-36064 can impact users who use Shescape to escape arguments for Unix shells, such as Bash and Dash, or any not-officially-supported Unix shell, and those who use the 'escape' or 'escapeAll' functions.

What is the severity of CVE-2022-36064?

CVE-2022-36064 has a severity rating of high (7.5).

How can I fix CVE-2022-36064?

To fix CVE-2022-36064, you should update the Shescape package to version 1.5.10 or higher.

Vulnerability/
CVE-2022-36064

high

7.5

CWE

1333 400

6/9/2022

3/8/2024

CVE-2022-36064: Shescape Inefficient Regular Expression Complexity vulnerability

First published: Tue Sep 06 2022(Updated: )

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Shescape Project Shescape Node.js	>=1.5.1<1.5.10

Remedy

https://github.com/ericcornelissen/shescape/pull/373

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-36064?
CVE-2022-36064 is a vulnerability that affects the Shescape shell escape package for JavaScript.
What software is affected by CVE-2022-36064?
The Shescape package with versions between 1.5.1 and 1.5.10 in the Node.js environment is affected by CVE-2022-36064.
How does CVE-2022-36064 impact users?
CVE-2022-36064 can impact users who use Shescape to escape arguments for Unix shells, such as Bash and Dash, or any not-officially-supported Unix shell, and those who use the 'escape' or 'escapeAll' functions.
What is the severity of CVE-2022-36064?
CVE-2022-36064 has a severity rating of high (7.5).
How can I fix CVE-2022-36064?
To fix CVE-2022-36064, you should update the Shescape package to version 1.5.10 or higher.

agent/weakness
agent/author
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/remedy
agent/title
agent/severity
agent/first-publish-date
agent/description
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-api
vendor/shescape project
canonical/shescape project shescape node.js
version/shescape project shescape node.js/1.5.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.