CVE-2022-31179
Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
Description
### Impact This impacts users that use Shescape (any API function) to escape arguments for **cmd.exe** on **Windows**. An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. Example: ```javascript import cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "cmd.exe", }; // 2. Attack const payload = "attacker\n"; // 3. Usage let escapedPayload; escapedPayload = shescape.escape(payload, options); // Or escapedPayload = shescape.escapeAll([payload], options)[0]; // Or escapedPayload = shescape.quote(payload, options); // Or escapedPayload = shescape.quoteAll([payload], options)[0]; cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options); // Outputs: "Hello attacker" ``` > **Note**: `execSync` is just illustrative here, all of `exec`, `execFile`, `execFileSync`, `fork`, `spawn`, and `spawnSync` can be attacked using a line feed character if CMD is the shell being used. ### Patches This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact). ### References - https://github.com/ericcornelissen/shescape/pull/332 - https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8 ### For more information If you have any questions or comments about this advisory: - Comment on https://github.com/ericcornelissen/shescape/pull/332 - Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ > _Question_ > _Get started_) [v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8
How to fix CVE-2022-31179
To remediate CVE-2022-31179, upgrade the affected package to a fixed version below.
- —upgrade to 1.5.8 or later
Is CVE-2022-31179 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.