CVE-2023-35931

Description

### Impact This impact users of Shescape: 1. On Windows using the Windows Command Prompt (i.e. `cmd.exe`), and 2. Using `quote`/`quoteAll` or `escape`/`escapeAll` with the `interpolation` option set to `true`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "cmd.exe", // Or shell: undefined, // Only if the default shell is CMD // And interpolation: true, // Only applies to `escape` and `escapeAll` usage } // 2. Attack (one of many) const payload = "%PATH%"; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload, options); // Or escapedPayload = shescape.quoteAll([payload], options); // Or escapedPayload = shescape.escape(payload, options); // Or escapedPayload = shescape.escapeAll([payload], options); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` ### Patches This bug has been patched in [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1) which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, users can remove all instances of `%` from user input, either before or after using Shescape. ### References - Shescape Pull request [#982](https://github.com/ericcornelissen/shescape/pull/982) - Shescape commit [`d0fce70`](https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac) - Shescape Release [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1)

How to fix CVE-2023-35931

To remediate CVE-2023-35931, upgrade the affected package to a fixed version below.

• —upgrade to 1.7.1 or later

Is CVE-2023-35931 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)