logo

Database

Improper resource allocation In shescape

Description

Shescape potential environment variable exposure on Windows with CMD

Impact

This impact users of Shescape:

    On Windows using the Windows Command Prompt (i.e. cmd.exe), and

    Using quote/quoteAll or escape/escapeAll with the interpolation option set to true.

An attacker may be able to get read-only access to environment variables. Example:

import * as cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
    shell: "cmd.exe",
    // Or
    shell: undefined, // Only if the default shell is CMD...

Patches

This bug has been patched in v1.7.1 which you can upgrade to now. No further changes are required.

Workarounds

Alternatively, users can remove all instances of % from user input, either before or after using Shescape.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-359312. NVD-2023-359313. OSV-2023-359314. GHSA-3g7p-8qhx-mc8r5. GCVE-2023-35931

References

1. https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r2. https://github.com/ericcornelissen/shescape/pull/9823. https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac4. https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.