logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-30222 shescape

Package

Manager: npm
Name: shescape
Vulnerable Version: >=1.7.2 <2.1.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00032 pctl0.0752

Details

Shescape has potential environment variable exposure on Windows with CMD ### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import { Shescape } from "shescape"; // 1. Prerequisites const shescape = new Shescape({ shell: "cmd.exe", // Or shell: true, // Only if the default shell is CMD }); // 2. Payload const payload = '"%PATH%'; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload); // Or escapedPayload = shescape.quoteAll([payload]); // Or escapedPayload = shescape.escape(payload); // Or escapedPayload = shescape.escapeAll([payload]); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` For Shescape prior to v2.0.0, the `options` object must have `shell: 'cmd.exe'` or `shell: undefined` and `interpolation: true`. ### Patches This bug has been patched in [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) which you can upgrade to now. If you are already using v2 of Shescape, no further changes are required. If you are using v1 of Shescape, follow the [migration guide](https://github.com/ericcornelissen/shescape/blob/155b13b4141750203ce71249f1b0fdc638c7a0d0/docs/migration.md) to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. ### Workarounds Alternatively, users can remove all instances of % from user input before using Shescape. ### References - Shescape Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Shescape commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Shescape release [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) ### For more information - Comment on Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Comment on commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues) (New issue > Question)

Metadata

Created: 2025-03-26T14:54:22Z
Modified: 2025-03-26T14:54:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-66pp-5p9w-q87j/GHSA-66pp-5p9w-q87j.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-66pp-5p9w-q87j
Finding: F017
Auto approve: 1