logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-35931 shescape

Package

Manager: npm
Name: shescape
Vulnerable Version: >=0 <1.7.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00256 pctl0.48828

Details

Shescape potential environment variable exposure on Windows with CMD ### Impact This impact users of Shescape: 1. On Windows using the Windows Command Prompt (i.e. `cmd.exe`), and 2. Using `quote`/`quoteAll` or `escape`/`escapeAll` with the `interpolation` option set to `true`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "cmd.exe", // Or shell: undefined, // Only if the default shell is CMD // And interpolation: true, // Only applies to `escape` and `escapeAll` usage } // 2. Attack (one of many) const payload = "%PATH%"; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload, options); // Or escapedPayload = shescape.quoteAll([payload], options); // Or escapedPayload = shescape.escape(payload, options); // Or escapedPayload = shescape.escapeAll([payload], options); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` ### Patches This bug has been patched in [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1) which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, users can remove all instances of `%` from user input, either before or after using Shescape. ### References - Shescape Pull request [#982](https://github.com/ericcornelissen/shescape/pull/982) - Shescape commit [`d0fce70`](https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac) - Shescape Release [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1)

Metadata

Created: 2023-06-22T20:01:39Z
Modified: 2023-06-26T16:35:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-3g7p-8qhx-mc8r/GHSA-3g7p-8qhx-mc8r.json
CWE IDs: ["CWE-526"]
Alternative ID: GHSA-3g7p-8qhx-mc8r
Finding: F067
Auto approve: 1