{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-25918","assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","assignerShortName":"snyk","datePublished":"2022-10-27T05:05:09.944Z","dateUpdated":"2025-05-05T18:24:44.572Z","dateReserved":"2022-02-24T00:00:00.000Z"},"containers":{"cna":{"title":"Regular Expression Denial of Service (ReDoS)","datePublic":"2022-10-27T00:00:00.000Z","providerMetadata":{"orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk","dateUpdated":"2022-10-27T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function."}],"affected":[{"vendor":"n/a","product":"shescape","versions":[{"version":"1.5.10","status":"affected","lessThan":"unspecified","versionType":"custom"},{"version":"unspecified","lessThan":"1.6.1","status":"affected","versionType":"custom"}]}],"references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108"},{"url":"https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52"},{"url":"https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9"},{"url":"https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1"}],"credits":[{"lang":"en","value":"Elliot Ward - Snyk Research Team"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"Regular Expression Denial of Service (ReDoS)"}]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T04:49:44.464Z"},"title":"CVE Program Container","references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108","tags":["x_transferred"]},{"url":"https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52","tags":["x_transferred"]},{"url":"https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9","tags":["x_transferred"]},{"url":"https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1","tags":["x_transferred"]}]},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-1333","lang":"en","description":"CWE-1333 Inefficient Regular Expression Complexity"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-05T18:24:01.864881Z","id":"CVE-2022-25918","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-05T18:24:44.572Z"}}]}}