CVE-2022-31179
HIGHshescape < 1.5.8 - Command Injection via Line Feed Character
Title source: llmDescription
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w
Patch, Third Party Advisory x_refsource_misc
https://github.com/ericcornelissen/shescape/pull/332
Scores
CVSS v3
8.1
EPSS
0.0063
EPSS Percentile
70.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
npm/shescape
0 - 1.5.8npm
shescape_project/shescape
< 1.5.8
Published
Aug 01, 2022
Tracked Since
Feb 18, 2026