CVE-2021-21384

Description

### Impact Anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a [null character](https://en.wikipedia.org/wiki/Null_character) into the payload. For example (on Windows): ```javascript const cp = require("child_process"); const shescape = require("shescape"); const nullChar = String.fromCharCode(0); const payload = "foo\" && ls -al ${nullChar} && echo \"bar"; console.log(cp.execSync(`echo ${shescape.quote(payload)}`)); // foototal 3 // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:44 . // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 00:09 .. // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:42 folder // -rw-r--r-- 1 owner XXXXXX 0 Mar 13 18:42 file ``` ### Patches The problem has been patched in [v1.1.3](https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3) which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, null characters can be stripped out manually using e.g. `arg.replace(/\u{0}/gu, "")`

How to fix CVE-2021-21384

To remediate CVE-2021-21384, upgrade the affected package to a fixed version below.

• —upgrade to 1.1.3 or later

Is CVE-2021-21384 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.1.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21384
• WEBgithub.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
• WEBgithub.com/ericcornelissen/shescape/releases/tag/v1.1.3
• WEBgithub.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh