CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.2%
This only impacts users that use the escape
or escapeAll
functions with the interpolation
option set to true
. Example:
import cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "bash",
// Or
shell: "dash",
// Or
shell: "powershell.exe",
// Or
shell: "zsh",
// Or
shell: undefined, // Only if the default shell is one of the affected shells.
};
// 2. Attack (one of multiple)
const payload = "foo #bar";
// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });
cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_
The result is that if an attacker is able to include whitespace in their input they can:
Behaviour number 1 has been patched in v1.5.7 which you can upgrade to now. No further changes are required.
Behaviour number 2, 3, and 4 have been patched in v1.5.8 which you can upgrade to now. No further changes are required.
The best workaround is to avoid having to use the interpolation: true
option - in most cases using an alternative is possible, see the recipes for recommendations.
Alternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085'
which is not included in JavaScript’s definition of \s
for Regular Expressions.
Vendor | Product | Version | CPE |
---|---|---|---|
shescape_project | shescape | * | cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-44vr-rwwj-p88h
github.com/ericcornelissen/shescape/pull/322
github.com/ericcornelissen/shescape/pull/324
github.com/ericcornelissen/shescape/pull/332
github.com/ericcornelissen/shescape/releases/tag/v1.5.7
github.com/ericcornelissen/shescape/releases/tag/v1.5.8
github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h
nvd.nist.gov/vuln/detail/CVE-2022-31180