CVE-2022-24725 – shescape

Package

Manager: npm
Name: shescape
Vulnerable Version: >=1.4.0 <1.5.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00296 pctl0.52476

Details

Exposure of home directory through shescape on Unix with Bash ### Impact The issue allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. ```javascript const cp = require("child_process"); const shescape = require("shescape"); const payload = "home_directory=~"; const options = { interpolation: true }; console.log(cp.execSync(`echo ${shescape.escape(payload, options)}`)); // home_directory=/home/user ``` Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. ### Patches The issue was patched in `v1.5.1`. ### Workarounds Manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`. ### References See GitHub issue https://github.com/ericcornelissen/shescape/issues/169.

Metadata

Created: 2022-03-03T19:26:11Z
Modified: 2022-03-18T20:06:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-446w-rrm4-r47f/GHSA-446w-rrm4-r47f.json
CWE IDs: ["CWE-200", "CWE-78"]
Alternative ID: GHSA-446w-rrm4-r47f
Finding: F004
Auto approve: 1