Moderate severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
CVE-2026-32094
Description
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shescapenpm | < 2.1.10 | 2.1.10 |
Affected products
2- Range: < 2.1.10
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9jfh-9xrq-4vwmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32094ghsaADVISORY
- github.com/ericcornelissen/shescape/commit/6add105c6f6b508662bb5ae3b3bdd4c9bcebf37aghsax_refsource_MISCWEB
- github.com/ericcornelissen/shescape/pull/2410ghsaWEB
- github.com/ericcornelissen/shescape/releases/tag/v2.1.10ghsaWEB
- github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.