Information Exposure Affecting shescape package, versions >=1.7.2 <2.1.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-SHESCAPE-9515254
  • published26 Mar 2025
  • disclosed25 Mar 2025
  • creditUnknown

Introduced: 25 Mar 2025

NewCVE-2025-30222  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade shescape to version 2.1.2 or higher.

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Information Exposure due to the configuration of shell parameter. An attacker can gain read-only access to environment variables by manipulating input parameters such as quote, quoteAll, escape, or escapeAll.

Note: This is only exploitable if the attacker is a user of Shescape on Windows that explicitly configures shell: cmd.exe or shell: true using any of quote/quoteAll/escape/escapeAll.

Workaround

This vulnerability can be mitigated by removing all instances of % from user input before using Shescape.

CVSS Base Scores

version 4.0
version 3.1