Skip to main content

Shescape

9 CVEs product

Monthly

CVE-2026-32094 npm MEDIUM PATCH This Month

Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.

Information Disclosure Shescape
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2023-40185 npm HIGH POC PATCH This Week

shescape is simple shell escape library for JavaScript. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microsoft Shescape
NVD GitHub
CVSS 3.1
8.6
EPSS
0.6%
CVE-2023-35931 npm MEDIUM POC PATCH This Month

Shescape is a simple shell escape library for JavaScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Shescape
NVD GitHub
CVSS 3.1
4.3
EPSS
0.8%
CVE-2022-25918 npm HIGH POC PATCH This Week

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Shescape
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-36064 HIGH POC PATCH This Week

Shescape is a shell escape package for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Shescape
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-31180 npm CRITICAL POC PATCH Act Now

Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Shescape
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-31179 npm CRITICAL POC PATCH Act Now

Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Code Injection Shescape
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-24725 npm MEDIUM POC PATCH This Month

Shescape is a shell escape package for JavaScript. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Path Traversal Information Disclosure Shescape
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2021-21384 npm HIGH POC PATCH This Week

shescape is a simple shell escape package for JavaScript. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Code Injection Shescape
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.

Information Disclosure Shescape
NVD GitHub VulDB
EPSS 1% CVSS 8.6
HIGH POC PATCH This Week

shescape is simple shell escape library for JavaScript. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Microsoft Shescape
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Shescape is a simple shell escape library for JavaScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Shescape
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Shescape
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Shescape is a shell escape package for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Shescape
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Shescape
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Code Injection Shescape
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Shescape is a shell escape package for JavaScript. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Path Traversal Information Disclosure Shescape
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

shescape is a simple shell escape package for JavaScript. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Code Injection Shescape
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy