CVE-2022-36064— Shescape Inefficient Regular Expression Complexity vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-36064
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Shescape Inefficient Regular Expression Complexity vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1333
Source: NVD (National Vulnerability Database)
Vulnerability Title
Shescape 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Shescape是开源的一个用于JavaScript的简单外壳转义程序包。使用它可以将用户控制的输入转义给shell命令,以防止shell注入。 Shescape v1.5.10之前版本存在输入验证错误漏洞,该漏洞源于Shescape 中的两个正则表达式容易受到正则表达式拒绝服务 (ReDoS) 的影响,攻击者利用该漏洞可以在输入字符串长度方面导致多项式回溯或二次运行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| ericcornelissen | shescape | >= 1.5.1, < 1.5.10 | - |
II. Public POCs for CVE-2022-36064
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-36064
请登录查看更多情报信息。
- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10x_refsource_MISC
- https://github.com/ericcornelissen/shescape/pull/373x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-36064
IV. Related Vulnerabilities
Same product: shescape
- CVE-2026-32094
Shescape escape() leaves bracket glob expansion active on Ba - CVE-2025-30222
Shescape has potential environment variable exposure on Wind - CVE-2023-40185
Shescape on Windows escaping may be bypassed in threaded con - CVE-2023-35931
Shescape potential environment variable exposure on Windows - CVE-2022-25918
Regular Expression Denial of Service (ReDoS)
Same vendor: ericcornelissen
- CVE-2026-32094
Shescape escape() leaves bracket glob expansion active on Ba - CVE-2025-30222
Shescape has potential environment variable exposure on Wind - CVE-2023-40185
Shescape on Windows escaping may be bypassed in threaded con - CVE-2023-35931
Shescape potential environment variable exposure on Windows - CVE-2022-31179
Insufficient escaping of line feeds for CMD in shescape
Same weakness: CWE-1333
- CVE-2026-33079
Mistune ReDoS in LINK_TITLE_RE allows denial of service with - CVE-2026-41040
GROWI 安全漏洞 - CVE-2026-40319
Giskard has a Regular Expression Denial of Service (ReDoS) i - CVE-2026-5986
Zod jsVideoUrlParser util.js getTime redos - CVE-2026-35041
ReDoS in fast-jwt when using RegExp in allowed* leading to C
V. Comments for CVE-2022-36064
No comments yet