CVE-2022-24725
MEDIUMshescape 1.4.0-1.5.1 - Home Directory Exposure via Interpolation Option in Bash
Title source: llmDescription
Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/ericcornelissen/shescape/issues/169
Patch, Third Party Advisory x_refsource_misc
https://github.com/ericcornelissen/shescape/pull/170
Scores
CVSS v3
6.2
EPSS
0.0030
EPSS Percentile
53.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
CWE-200
Status
published
Products (2)
npm/shescape
1.4.0 - 1.5.1npm
shescape_project/shescape
1.4.0 - 1.5.1
Published
Mar 03, 2022
Tracked Since
Feb 18, 2026