High severityNVD Advisory· Published Mar 18, 2021· Updated Aug 3, 2024
Null characters not escaped in shescape
CVE-2021-21384
Description
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shescapenpm | < 1.1.3 | 1.1.3 |
Affected products
1- Range: < 1.1.3
Patches
107a069a66423Strip null characters from arguments
5 files changed · +35 −3
CHANGELOG.md+1 −1 modified@@ -7,7 +7,7 @@ Versioning]. ## [Unreleased] -- _No changes yet_ +- Strip null characters from arguments. ## [1.1.2] - 2021-01-07
src/unix.js+1 −1 modified@@ -11,7 +11,7 @@ * @returns {string} The escaped argument. */ function escapeShellArg(arg) { - return arg.replace(/'/g, `'\\''`); + return arg.replace(/\u{0}/gu, "").replace(/'/g, `'\\''`); } module.exports.escapeShellArg = escapeShellArg;
src/win.js+1 −1 modified@@ -11,7 +11,7 @@ * @returns {string} The escaped argument. */ function escapeShellArg(arg) { - return arg.replace(/"/g, `""`); + return arg.replace(/\u{0}/gu, "").replace(/"/g, `""`); } module.exports.escapeShellArg = escapeShellArg;
test/unix.test.js+16 −0 modified@@ -22,4 +22,20 @@ describe("unix.js", function () { assert.strictEqual(output, `'\\'' & echo '\\''Hello world!'\\''`); }); }); + + describe("null characters", function () { + const nullChar = String.fromCharCode(0); + + it("removes one null character", function () { + const input = `foo' && ls${nullChar} -al ; echo 'bar`; + const output = escapeShellArg(input); + assert.strictEqual(output, `foo'\\'' && ls -al ; echo '\\''bar`); + }); + + it("removes multiple null character", function () { + const input = `foo'${nullChar}&&ls -al${nullChar};echo 'bar`; + const output = escapeShellArg(input); + assert.strictEqual(output, `foo'\\''&&ls -al;echo '\\''bar`); + }); + }); });
test/win.test.js+16 −0 modified@@ -22,4 +22,20 @@ describe("win.js", function () { assert.strictEqual(output, `"" & echo ""Hello world!`); }); }); + + describe("null characters", function () { + const nullChar = String.fromCharCode(0); + + it("removes one null character", function () { + const input = `foo" && ls${nullChar} -al ; echo "bar`; + const output = escapeShellArg(input); + assert.strictEqual(output, `foo"" && ls -al ; echo ""bar`); + }); + + it("removes multiple null character", function () { + const input = `foo"${nullChar}&&ls -al${nullChar};echo "bar`; + const output = escapeShellArg(input); + assert.strictEqual(output, `foo""&&ls -al;echo ""bar`); + }); + }); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-f2rp-38vg-j3ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21384ghsaADVISORY
- github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2bghsax_refsource_MISCWEB
- github.com/ericcornelissen/shescape/releases/tag/v1.1.3ghsax_refsource_MISCWEB
- github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3ghghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/shescapeghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.