Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-30222
Good to know:
Date: March 25, 2025
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure "shell: 'cmd.exe'" or "shell: true" using any of "quote"/"quoteAll"/"escape"/"escapeAll". An attacker may be able to get read-only access to environment variables. This bug has been patched in v2.1.2. For those who are already using v2 of Shescape, no further changes are required. Those who are are using v1 of Shescape should follow the migration guide to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. As a workaround, users can remove all instances of "%" from user input before using Shescape.
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200Top Fix
Upgrade Version
Upgrade to version shescape - 2.1.2;https://github.com/ericcornelissen/shescape.git - v2.1.2
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | LOCAL |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | HIGH |
| Availability (A): | NONE |