Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/shescape@1.5.6
Typenpm
Namespace
Nameshescape
Version1.5.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.10
Latest_non_vulnerable_version2.1.10
Affected_by_vulnerabilities
0
url VCID-7x9z-rjk1-j7d2
vulnerability_id VCID-7x9z-rjk1-j7d2
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-36064
reference_id
reference_type
scores
0
value 0.00561
scoring_system epss
scoring_elements 0.68654
published_at 2026-06-04T12:55:00Z
1
value 0.00561
scoring_system epss
scoring_elements 0.68695
published_at 2026-06-07T12:55:00Z
2
value 0.00561
scoring_system epss
scoring_elements 0.68703
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-36064
1
reference_url https://github.com/ericcornelissen/shescape/pull/373
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:44:36Z/
url https://github.com/ericcornelissen/shescape/pull/373
2
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:44:36Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-36064
reference_id CVE-2022-36064
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-36064
4
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3
reference_id GHSA-gp75-h7j6-5pv3
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:44:36Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3
fixed_packages
0
url pkg:npm/shescape@1.5.10
purl pkg:npm/shescape@1.5.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8tmm-r9hx-t7gh
1
vulnerability VCID-cy6p-xc3p-wbe1
2
vulnerability VCID-dkf9-rygu-2yby
3
vulnerability VCID-emqt-chqk-wug3
4
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.5.10
aliases CVE-2022-36064, GHSA-gp75-h7j6-5pv3
risk_score 2.6
exploitability 0.5
weighted_severity 5.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7x9z-rjk1-j7d2
1
url VCID-8tmm-r9hx-t7gh
vulnerability_id VCID-8tmm-r9hx-t7gh
summary 
Cleartext Storage of Sensitive Information in an Environment Variable
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-35931
reference_id
reference_type
scores
0
value 0.00464
scoring_system epss
scoring_elements 0.64701
published_at 2026-06-07T12:55:00Z
1
value 0.00464
scoring_system epss
scoring_elements 0.64712
published_at 2026-06-06T12:55:00Z
2
value 0.00464
scoring_system epss
scoring_elements 0.64702
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-35931
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
3
reference_url https://github.com/ericcornelissen/shescape/pull/982
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/pull/982
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-35931
reference_id CVE-2023-35931
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-35931
6
reference_url https://github.com/advisories/GHSA-3g7p-8qhx-mc8r
reference_id GHSA-3g7p-8qhx-mc8r
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3g7p-8qhx-mc8r
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
reference_id GHSA-3g7p-8qhx-mc8r
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T16:08:36Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
fixed_packages
0
url pkg:npm/shescape@1.7.1
purl pkg:npm/shescape@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cy6p-xc3p-wbe1
1
vulnerability VCID-emqt-chqk-wug3
2
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.7.1
aliases CVE-2023-35931, GHSA-3g7p-8qhx-mc8r
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8tmm-r9hx-t7gh
2
url VCID-cy6p-xc3p-wbe1
vulnerability_id VCID-cy6p-xc3p-wbe1
summary 
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains
This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.

In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):

```javascript
import fs from "node:fs";
import { exec } from "node:child_process";

import { Shescape } from "shescape";
import which from "which";

/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";

fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);

/* 2. Misconfiguration */
const execOptions = {
shell: linkToLink,
};

const shescape = new Shescape({
shell: execOptions.shell,
});

/* 3. Payload */
const userInput = "a=:~";

/* 4. Attack example */
exec(
`echo Hello ${shescape.escape(userInput)}`,
{ shell: execOptions.shell },
(error, stdout) => {
fs.rmSync(linkToLink);
fs.rmSync(linkToShell);

if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
// Output:  "Hello a=:/home/user"
}
},
);
```
references
0
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
1
reference_url https://github.com/ericcornelissen/shescape/pull/2388
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/pull/2388
2
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
3
reference_url https://github.com/github/advisory-database/pull/7206
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/github/advisory-database/pull/7206
4
reference_url https://www.npmjs.com/package/shescape/v/2.1.9
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/shescape/v/2.1.9
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30916
reference_id CVE-2026-30916
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30916
6
reference_url https://github.com/advisories/GHSA-6f6w-6j58-rq76
reference_id GHSA-6f6w-6j58-rq76
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6f6w-6j58-rq76
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
reference_id GHSA-6f6w-6j58-rq76
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
fixed_packages
0
url pkg:npm/shescape@2.1.9
purl pkg:npm/shescape@2.1.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.9
aliases CVE-2026-30916, GHSA-6f6w-6j58-rq76
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cy6p-xc3p-wbe1
3
url VCID-emqt-chqk-wug3
vulnerability_id VCID-emqt-chqk-wug3
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shescape.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40185
reference_id
reference_type
scores
0
value 0.00092
scoring_system epss
scoring_elements 0.25888
published_at 2026-06-05T12:55:00Z
1
value 0.00092
scoring_system epss
scoring_elements 0.25835
published_at 2026-06-07T12:55:00Z
2
value 0.00092
scoring_system epss
scoring_elements 0.2588
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40185
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
3
reference_url https://github.com/ericcornelissen/shescape/pull/1142
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/pull/1142
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40185
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40185
6
reference_url https://github.com/advisories/GHSA-j55r-787p-m549
reference_id GHSA-j55r-787p-m549
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j55r-787p-m549
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
reference_id GHSA-j55r-787p-m549
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
1
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T19:09:19Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
fixed_packages
0
url pkg:npm/shescape@1.7.4
purl pkg:npm/shescape@1.7.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cy6p-xc3p-wbe1
1
vulnerability VCID-nfa3-zn9d-s7f9
2
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.7.4
aliases CVE-2023-40185, GHSA-j55r-787p-m549
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-emqt-chqk-wug3
4
url VCID-px7h-1hh9-wuhs
vulnerability_id VCID-px7h-1hh9-wuhs
summary 
Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
### Impact

This impacts users that use Shescape (any API function) to escape arguments for **cmd.exe** on **Windows**. An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. Example:

```javascript
import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "cmd.exe",
};

// 2. Attack
const payload = "attacker\n";

// 3. Usage
let escapedPayload;
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options)[0];
// Or
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options)[0];

cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options);
// Outputs:  "Hello attacker"
```

> **Note**: `execSync` is just illustrative here, all of `exec`, `execFile`, `execFileSync`, `fork`, `spawn`, and `spawnSync` can be attacked using a line feed character if CMD is the shell being used.

### Patches

This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required.

### Workarounds

Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

### References

- https://github.com/ericcornelissen/shescape/pull/332
- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8

### For more information

If you have any questions or comments about this advisory:

- Comment on https://github.com/ericcornelissen/shescape/pull/332
- Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ > _Question_ > _Get started_)

[v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31179
reference_id
reference_type
scores
0
value 0.00625
scoring_system epss
scoring_elements 0.7059
published_at 2026-06-07T12:55:00Z
1
value 0.00625
scoring_system epss
scoring_elements 0.70608
published_at 2026-06-06T12:55:00Z
2
value 0.00625
scoring_system epss
scoring_elements 0.70598
published_at 2026-06-05T12:55:00Z
3
value 0.00625
scoring_system epss
scoring_elements 0.70556
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31179
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/aceea7358f7222984e21260381ebc5ec4543b76f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/commit/aceea7358f7222984e21260381ebc5ec4543b76f
3
reference_url https://github.com/ericcornelissen/shescape/pull/332
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/pull/332
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
5
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:15Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31179
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31179
7
reference_url https://github.com/advisories/GHSA-jjc5-fp7p-6f8w
reference_id GHSA-jjc5-fp7p-6f8w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jjc5-fp7p-6f8w
fixed_packages
0
url pkg:npm/shescape@1.5.8
purl pkg:npm/shescape@1.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7x9z-rjk1-j7d2
1
vulnerability VCID-8tmm-r9hx-t7gh
2
vulnerability VCID-cy6p-xc3p-wbe1
3
vulnerability VCID-emqt-chqk-wug3
4
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.5.8
aliases CVE-2022-31179, GHSA-jjc5-fp7p-6f8w, GMS-2022-3205
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-px7h-1hh9-wuhs
5
url VCID-wpfp-cjd5-87g2
vulnerability_id VCID-wpfp-cjd5-87g2
summary 
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
`Shescape#escape()` does not escape square-bracket glob syntax for Bash, BusyBox `sh`, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like `secret[12]` to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32094
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.17699
published_at 2026-06-07T12:55:00Z
1
value 0.00056
scoring_system epss
scoring_elements 0.17732
published_at 2026-06-06T12:55:00Z
2
value 0.00056
scoring_system epss
scoring_elements 0.17739
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32094
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/
url https://github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a
3
reference_url https://github.com/ericcornelissen/shescape/pull/2410
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/pull/2410
4
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/releases/tag/v2.1.10
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32094
reference_id CVE-2026-32094
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32094
6
reference_url https://github.com/advisories/GHSA-9jfh-9xrq-4vwm
reference_id GHSA-9jfh-9xrq-4vwm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9jfh-9xrq-4vwm
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm
reference_id GHSA-9jfh-9xrq-4vwm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:54:11Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm
fixed_packages
0
url pkg:npm/shescape@2.1.10
purl pkg:npm/shescape@2.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@2.1.10
aliases CVE-2026-32094, GHSA-9jfh-9xrq-4vwm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wpfp-cjd5-87g2
6
url VCID-xw8t-7zmd-gqds
vulnerability_id VCID-xw8t-7zmd-gqds
summary 
Shescape vulnerable to insufficient escaping of whitespace
### Impact

This only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. Example:

```javascript
import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "bash",
  // Or
  shell: "dash",
  // Or
  shell: "powershell.exe",
  // Or
  shell: "zsh",
  // Or
  shell: undefined, // Only if the default shell is one of the affected shells.
};

// 2. Attack (one of multiple)
const payload = "foo #bar";

// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });

cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_
```

The result is that if an attacker is able to include whitespace in their input they can:

1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.
   - Affected shells: _Bash_, _Dash_, _Zsh_, _PowerShell_
2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 
   - Affected shells: _Bash_
3. Invoke arbitrary commands by inserting a line feed character.
   - Affected Shells: _Bash_, _Dash_, _Zsh_, _PowerShell_
3. Invoke arbitrary commands by inserting a carriage return character.
   - Affected Shells: _PowerShell_

### Patches

Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required.

Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required.

### Workarounds

The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations.

Alternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

### References

- https://github.com/ericcornelissen/shescape/pull/322
- https://github.com/ericcornelissen/shescape/pull/324
- https://github.com/ericcornelissen/shescape/pull/332
- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7
- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8

### For more information

- Comment on:
  - For behaviour 1 (PowerShell): https://github.com/ericcornelissen/shescape/pull/322
  - For behaviour 1 (Bash, Dash, Zsh): https://github.com/ericcornelissen/shescape/pull/324
  - For behaviour 2, 3, 4 (_any shell_): https://github.com/ericcornelissen/shescape/pull/332
- Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ > _Question_ > _Get started_)
- If you're missing CMD from this advisory, see https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w

[v1.5.7]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7
[v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31180
reference_id
reference_type
scores
0
value 0.0108
scoring_system epss
scoring_elements 0.78188
published_at 2026-06-04T12:55:00Z
1
value 0.0108
scoring_system epss
scoring_elements 0.78211
published_at 2026-06-07T12:55:00Z
2
value 0.0108
scoring_system epss
scoring_elements 0.78221
published_at 2026-06-06T12:55:00Z
3
value 0.0108
scoring_system epss
scoring_elements 0.78214
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31180
1
reference_url https://github.com/ericcornelissen/shescape
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape
2
reference_url https://github.com/ericcornelissen/shescape/pull/322
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:14Z/
url https://github.com/ericcornelissen/shescape/pull/322
3
reference_url https://github.com/ericcornelissen/shescape/pull/324
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:14Z/
url https://github.com/ericcornelissen/shescape/pull/324
4
reference_url https://github.com/ericcornelissen/shescape/pull/332
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ericcornelissen/shescape/pull/332
5
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:14Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7
6
reference_url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:14Z/
url https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
7
reference_url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:14Z/
url https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31180
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31180
9
reference_url https://github.com/advisories/GHSA-44vr-rwwj-p88h
reference_id GHSA-44vr-rwwj-p88h
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-44vr-rwwj-p88h
fixed_packages
0
url pkg:npm/shescape@1.5.8
purl pkg:npm/shescape@1.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7x9z-rjk1-j7d2
1
vulnerability VCID-8tmm-r9hx-t7gh
2
vulnerability VCID-cy6p-xc3p-wbe1
3
vulnerability VCID-emqt-chqk-wug3
4
vulnerability VCID-wpfp-cjd5-87g2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.5.8
aliases CVE-2022-31180, GHSA-44vr-rwwj-p88h, GMS-2022-3204
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xw8t-7zmd-gqds
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/shescape@1.5.6