CPE Details
Shescape Project Shescape 1.5.9 for Node.js
1.5.9
2022-09-09
11h20 +00:00
11h20 +00:00
2022-09-09
11h34 +00:00
11h34 +00:00
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:shescape_project:shescape:1.5.9:*:*:*:*:node.js:*:*
Informations
Vendor
shescape_projectProduct
shescapeVersion
1.5.9Target Software
node.jsRelated CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4. | 8.6 |
Haute |
||
| Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1. | 4.3 |
Moyen |
||
| Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself. | 7.5 |
Haute |
2025©
tesweb SA
