Shescape
CVE-2022-31180
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the escape or escapeAll functions with the interpolation option set to true. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the interpolation: true option - in most cases using an alternative is possible, see the recipes for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085' which is not included in JavaScript's definition of \s for Regular Expressions.
AnalysisAI
Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-74. Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the escape or escapeAll functions with the interpolation option set to true. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the interpolation: true option - in most cases using an alternative is possible, see the recipes for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085' which is not included in JavaScript's definition of \s for Regular Expressions. Affected products include: Shescape Project Shescape.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remo
shescape is simple shell escape library for JavaScript. Rated high severity (CVSS 8.6), this vulnerability is remotely e
shescape is a simple shell escape package for JavaScript. Rated high severity (CVSS 7.8), this vulnerability is low atta
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the
Shescape is a shell escape package for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
Shescape is a shell escape package for JavaScript. Rated medium severity (CVSS 5.5), this vulnerability is low attack co
Shescape is a simple shell escape library for JavaScript. Rated medium severity (CVSS 4.3), this vulnerability is remote
Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, al
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today