VYPR
← All advisories
High severityNVD Advisory· Published Oct 27, 2022· Updated May 5, 2025

Regular Expression Denial of Service (ReDoS)

CVE-2022-25918

Description

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shescape 1.5.10 to before 1.6.1 is vulnerable to ReDoS in the escapeArgBash function, allowing denial of service via crafted input strings.

Vulnerability

Overview

CVE-2022-25918 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the shescape package, an escaping utility for shell commands. The vulnerability exists in versions 1.5.10 through 1.6.0 (fixed in 1.6.1) and is located in the escapeArgBash function within index.js. The root cause is an insecure regular expression used for escaping special characters, which can exhibit catastrophic backtracking when processing specially crafted input strings [1].

Attack

Vector and Exploitation

The vulnerable regular expression was introduced in a commit that modified the escapeArgBash function to handle curly braces and other shell metacharacters [3]. An attacker can exploit this vulnerability by providing a maliciously crafted input string to any application that uses shescape's escape function with Bash as the target shell. The attack does not require authentication or special network access beyond the ability to supply input that reaches the vulnerable function. The crafted input triggers exponential backtracking in the regex engine, causing the processing time to grow polynomially or exponentially with input length [4].

Impact

Successful exploitation leads to a denial of service condition. The application or Node.js process handling the input becomes unresponsive for an extended period, potentially allowing an attacker to exhaust server resources or cause a complete hang. This type of attack is classified as a ReDoS, and the impact is primarily on availability [2].

Mitigation

The vulnerability was addressed in version 1.6.1 of shescape, released on 2022-10-25 [2]. Users should upgrade to version 1.6.1 or later. The fix involved refining the regular expression in escapeArgBash to remove the vulnerable pattern, preventing catastrophic backtracking [3]. No workarounds are documented; upgrading is the recommended course of action.

References
  1. NVD - CVE-2022-25918
  2. Release Release v1.6.1 · ericcornelissen/shescape
  3. Merge pull request from GHSA-cr84-xvw4-qx3c · ericcornelissen/shescape@552e8ea
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shescapenpm
>= 1.5.10, < 1.6.11.6.1

Affected products

2
  • shescape/shescapedescription
  • ghsa-coords
    pkg:npm/shescape
    Range: >= 1.5.10, < 1.6.1

Patches

1
552e8eab5686

Merge pull request from GHSA-cr84-xvw4-qx3c

https://github.com/ericcornelissen/shescapeEric CornelissenOct 25, 2022via ghsa
commit
4 files changed · +45 15
  • SECURITY.md+11 8 modified
    @@ -27,18 +27,21 @@ report this publicly. For example, as a regular issue in the public repository.
 
 ## Advisories
 
-| ID               | Date       | Affected versions | Patched versions |
-| :--------------- | :--------- | :---------------- | :--------------- |
-| `CVE-2021-21384` | 2021-03-19 | `<1.1.3`          | `1.1.3`          |
-| `CVE-2022-24725` | 2022-03-03 | `>=1.4.0 <1.5.1`  | `1.5.1`          |
-| `CVE-2022-31179` | 2022-07-26 | `<1.5.8`          | `1.5.8`          |
-| `CVE-2022-31180` | 2022-07-26 | `>=1.4.0 <1.5.8`  | `1.5.8`          |
-| `CVE-2022-36064` | 2022-08-29 | `>=1.5.1 <1.5.10` | `1.5.10`         |
+| ID                    | Date       | Affected versions | Patched versions |
+| :-------------------- | :--------- | :---------------- | :--------------- |
+| `CVE-2021-21384`      | 2021-03-19 | `<1.1.3`          | `1.1.3`          |
+| `CVE-2022-24725`      | 2022-03-03 | `>=1.4.0 <1.5.1`  | `1.5.1`          |
+| `CVE-2022-31179`      | 2022-07-26 | `<1.5.8`          | `1.5.8`          |
+| `CVE-2022-31180`      | 2022-07-26 | `>=1.4.0 <1.5.8`  | `1.5.8`          |
+| `CVE-2022-36064`      | 2022-08-29 | `>=1.5.1 <1.5.10` | `1.5.10`         |
+| `GHSA-cr84-xvw4-qx3c` | 2022-10-25 | `>=1.5.10 <1.6.1` | `1.6.1`          |
 
 ## Acknowledgments
 
 We would like to publicly thank the following reporters:
 
-- _None yet_
+- Elliot Ward ([@mowzk]) from [Snyk]
 
+[@mowzk]: https://github.com/mowzk
 [security@ericcornelissen.dev]: mailto:security@ericcornelissen.dev?subject=SECURITY%20%28shescape%29
+[snyk]: https://snyk.io/
  • src/unix.js+1 4 modified
    @@ -48,10 +48,7 @@ function escapeArgBash(arg, interpolation, quoted) {
       .replace(/\\/gu, "\\\\")
       .replace(/\n/gu, " ")
       .replace(/(^|\s)([#~])/gu, "$1\\$2")
-      .replace(/(["$&'()*;<>?`|])/gu, "\\$1")
-      .replace(/(?<!\{)\{+(?=(?:[^{][^,.]*)?[,.][^}]*\})/gu, (curlyBraces) =>
-        curlyBraces.replace(/\{/gu, "\\{")
-      )
+      .replace(/(["$&'()*;<>?`{|])/gu, "\\$1")
       .replace(/(?<=[:=])(~)(?=[\s+\-/0:=]|$)/gu, "\\$1");
   } else if (quoted) {
     result = result.replace(/'/gu, `'\\''`);
  • test/fixtures/unix.js+13 3 modified
    @@ -1116,23 +1116,23 @@ export const escape = {
     "curly brackets ('{', '}')": [
       {
         input: "a{b",
-        expected: { interpolation: "a{b", noInterpolation: "a{b" },
+        expected: { interpolation: "a\\{b", noInterpolation: "a{b" },
       },
       {
         input: "a}b",
         expected: { interpolation: "a}b", noInterpolation: "a}b" },
       },
       {
         input: "a{b{c",
-        expected: { interpolation: "a{b{c", noInterpolation: "a{b{c" },
+        expected: { interpolation: "a\\{b\\{c", noInterpolation: "a{b{c" },
       },
       {
         input: "a}b}c",
         expected: { interpolation: "a}b}c", noInterpolation: "a}b}c" },
       },
       {
         input: "a{b}c",
-        expected: { interpolation: "a{b}c", noInterpolation: "a{b}c" },
+        expected: { interpolation: "a\\{b}c", noInterpolation: "a{b}c" },
       },
       {
         input: "a{b,c}d",
@@ -3601,3 +3601,13 @@ export const quote = {
     ],
   },
 };
+
+export const redos = () => [
+  // CVE-2022-36064
+  `foo${"{".repeat(150_000)}bar`,
+  `=${":".repeat(150_000)}foobar`,
+  `{${",".repeat(150_000)}`,
+
+  // No identifier (yet)
+  "{,".repeat(150_000),
+];
  • test/unit/unix/escape.test.js+20 0 modified
    @@ -46,4 +46,24 @@ Object.entries(fixtures.escape).forEach(([shellName, scenarios]) => {
   });
 });
 
+fixtures.redos().forEach((s, i) => {
+  test(`bash, ReDoS #${i}`, (t) => {
+    const escape = unix.getEscapeFunction("bash");
+    escape(s, true, false);
+    t.pass();
+  });
+
+  test(`dash, ReDoS #${i}`, (t) => {
+    const escape = unix.getEscapeFunction("dash");
+    escape(s, true, false);
+    t.pass();
+  });
+
+  test(`zsh, ReDoS #${i}`, (t) => {
+    const escape = unix.getEscapeFunction("zsh");
+    escape(s, true, false);
+    t.pass();
+  });
+});
+
 test(macros.unsupportedShell, { fn: unix.getEscapeFunction });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.