Information Exposure Affecting shescape package, versions >=1.7.2 <2.1.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-SHESCAPE-9515254
- published26 Mar 2025
- disclosed25 Mar 2025
- creditUnknown
Introduced: 25 Mar 2025
NewCVE-2025-30222 (opens in a new tab)How to fix?
Upgrade shescape to version 2.1.2 or higher.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Information Exposure due to the configuration of shell parameter. An attacker can gain read-only access to environment variables by manipulating input parameters such as quote, quoteAll, escape, or escapeAll.
Note: This is only exploitable if the attacker is a user of Shescape on Windows that explicitly configures shell: cmd.exe or shell: true using any of quote/quoteAll/escape/escapeAll.
Workaround
This vulnerability can be mitigated by removing all instances of % from user input before using Shescape.