logo

Database

Out-of-bounds read In shescape

Description

Shescape on Windows escaping may be bypassed in threaded context

Impact

This may impact users that use Shescape on Windows in a threaded context (e.g. using Worker threads). The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell.

This snippet demonstrates a vulnerable use of Shescape:

// vulnerable.js

import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';

import * as shescape from "shescape";

if (isMainThread) {...

Patches

This bug has been patched in v1.7.4 which you can upgrade to now. No further changes are required.

Workarounds

If you are impacted there is no workaround possible.

References

For more information

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-401852. NVD-2023-401853. OSV-2023-401854. GHSA-j55r-787p-m5495. GCVE-2023-40185

References

1. https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m5492. https://github.com/ericcornelissen/shescape/pull/11423. https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d634. https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.