ReDoS Vulnerability in shellwords

## Vulnerability type

RegExp Denial-of-Service——catastrophic backtracking in regex evaluation

## Vulnerability Location

In the `split` function of `shellwords@1.1.1`, the following regular expression is used:

```javascript
/\s*(?:([^\s\\'"]+)|'((?:[^'\\]|\\.)*)'|"((?:[^"\\]|\\.)*)"|(\\.?)|(\S))(\s|$)?/
```

## Description

The `split` function in `shellwords` uses a complex regular expression to tokenize shell-like input strings.  
However, this regex is **vulnerable to catastrophic backtracking**, which can cause **CPU exhaustion** and **application hang** when processing specially crafted input.

## Proof of Concept (PoC)

```javascript
require("shellwords").split('\n' + ' '.repeat(100000))
```

## Affected version

**[shellwords@1.1.1](mailto:shellwords@1.1.1)**  
(Other versions using the same regex implementation may also be affected)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ReDoS Vulnerability in shellwords #13

Vulnerability type

Vulnerability Location

Description

Proof of Concept (PoC)

Affected version

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

ReDoS Vulnerability in shellwords #13

Description

Vulnerability type

Vulnerability Location

Description

Proof of Concept (PoC)

Affected version

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions