CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
41.7%
This may impact users that use Shescape on Windows in a threaded context (e.g. using Worker threads). The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell.
This snippet demonstrates a vulnerable use of Shescape:
// vulnerable.js
import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';
import * as shescape from "shescape";
if (isMainThread) {
// 1. Something like a worker thread must be used. The reason being that they
// unexpectedly change environment variable names on Windows.
new Worker("./vulnerable.js");
} else {
// 2. Example configuration that's problematic. In this setup example the
// expected default system shell is CMD. We configure the use of PowerShell.
// Shescape will fail to look up PowerShell and default to escaping for CMD
// instead, resulting in the vulnerability.
const options = {
shell: "powershell",
interpolation: true,
};
// 3. Using shescape to protect against attacks, this is correct.
const escaped = shescape.escape("&& ls", options);
// 4. Invoking a command with the escaped user input, this is vulnerable in
// this case.
exec(`echo Hello ${escaped}`, options, (error, stdout) => {
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
}
});
}
This bug has been patched in v1.7.4 which you can upgrade to now. No further changes are required.
If you are impacted there is no workaround possible.
0b976da
github.com/ericcornelissen/shescape
github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
github.com/ericcornelissen/shescape/pull/1142
github.com/ericcornelissen/shescape/releases/tag/v1.7.4
github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
nvd.nist.gov/vuln/detail/CVE-2023-40185