CVE-2022-31179
August 01, 2022
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character ("'\n'") in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters ("'\n'") can be stripped out manually or the user input can be made the last argument (this only limits the impact).
Affected Packages
shescape (NPM):
Affected version(s) >=0.1.0 <1.5.8Fix Suggestion:
Update to version 1.5.8Related Resources (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
HIGH
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
EPSS
Base Score:
0.63
