npm package
shescape
pkg:npm/shescape
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32094 | — | < 2.1.10 | 2.1.10 | Mar 11, 2026 | Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-contro | ||
| CVE-2025-30222 | Low | — | >= 1.7.2, < 2.1.2 | 2.1.2 | Mar 25, 2025 | Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any o | |
| CVE-2023-40185 | — | < 1.7.4 | 1.7.4 | Aug 23, 2023 | shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the com | ||
| CVE-2023-35931 | — | < 1.7.1 | 1.7.1 | Jun 23, 2023 | Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1. | ||
| CVE-2022-25918 | — | >= 1.5.10, < 1.6.1 | 1.6.1 | Oct 27, 2022 | The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. | ||
| CVE-2022-31179 | — | < 1.5.8 | 1.5.8 | Aug 1, 2022 | Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following | ||
| CVE-2022-31180 | — | >= 1.4.0, < 1.5.8 | 1.5.8 | Aug 1, 2022 | Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true | ||
| CVE-2022-24725 | — | >= 1.4.0, < 1.5.1 | 1.5.1 | Mar 3, 2022 | Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other | ||
| CVE-2021-21384 | — | < 1.1.3 | 1.1.3 | Mar 18, 2021 | shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the refer |
- CVE-2026-32094Mar 11, 2026affected < 2.1.10fixed 2.1.10
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-contro
- affected >= 1.7.2, < 2.1.2fixed 2.1.2
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any o
- CVE-2023-40185Aug 23, 2023affected < 1.7.4fixed 1.7.4
shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the com
- CVE-2023-35931Jun 23, 2023affected < 1.7.1fixed 1.7.1
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
- CVE-2022-25918Oct 27, 2022affected >= 1.5.10, < 1.6.1fixed 1.6.1
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
- CVE-2022-31179Aug 1, 2022affected < 1.5.8fixed 1.5.8
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following
- CVE-2022-31180Aug 1, 2022affected >= 1.4.0, < 1.5.8fixed 1.5.8
Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true
- CVE-2022-24725Mar 3, 2022affected >= 1.4.0, < 1.5.1fixed 1.5.1
Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other
- CVE-2021-21384Mar 18, 2021affected < 1.1.3fixed 1.1.3
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the refer