CVE-2025-30222
Shescape has potential environment variable exposure on Windows with CMD
Description
### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import { Shescape } from "shescape"; // 1. Prerequisites const shescape = new Shescape({ shell: "cmd.exe", // Or shell: true, // Only if the default shell is CMD }); // 2. Payload const payload = '"%PATH%'; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload); // Or escapedPayload = shescape.quoteAll([payload]); // Or escapedPayload = shescape.escape(payload); // Or escapedPayload = shescape.escapeAll([payload]); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` For Shescape prior to v2.0.0, the `options` object must have `shell: 'cmd.exe'` or `shell: undefined` and `interpolation: true`. ### Patches This bug has been patched in [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) which you can upgrade to now. If you are already using v2 of Shescape, no further changes are required. If you are using v1 of Shescape, follow the [migration guide](https://github.com/ericcornelissen/shescape/blob/155b13b4141750203ce71249f1b0fdc638c7a0d0/docs/migration.md) to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. ### Workarounds Alternatively, users can remove all instances of % from user input before using Shescape. ### References - Shescape Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Shescape commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Shescape release [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) ### For more information - Comment on Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Comment on commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues) (New issue > Question)
How to fix CVE-2025-30222
To remediate CVE-2025-30222, upgrade the affected package to a fixed version below.
- —