Description
shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.
References (4)
Core 4
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
Patch x_refsource_misc
https://github.com/ericcornelissen/shescape/pull/1142
Patch x_refsource_misc
https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
Release Notes x_refsource_misc
https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
Scores
CVSS v3
6.5
EPSS
0.0008
EPSS Percentile
24.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-150
Status
published
Products (2)
npm/shescape
0 - 1.7.4npm
shescape_project/shescape
< 1.7.4
Published
Aug 23, 2023
Tracked Since
Feb 18, 2026