CRITICAL🇵🇱 Wersja polska

CVE-2022-31180

CVSS 9.8v3.1pub. 2022-08-01upd. 2024-11-21

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Shescape Project Shescape

    APP
    Shescape Project
    1.4.0 – 1.5.8 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-31179HIGH8.1ten sam produkt

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to ...

CVE-2026-32094MEDIUM6.9ten sam produkt

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape s...

CVE-2023-40185MEDIUM6.5ten sam produkt

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in ...

CVE-2022-25918MEDIUM5.3ten sam produkt

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDo...

CVE-2022-36064MEDIUM5.9ten sam produkt

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability ...