CVE-2021-21384
MEDIUM6.3EPSS 0.17%Null characters not escaped
Description
### Impact Anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a [null character](https://en.wikipedia.org/wiki/Null_character) into the payload. For example (on Windows): ```javascript const cp = require("child_process"); const shescape = require("shescape"); const nullChar = String.fromCharCode(0); const payload = "foo\" && ls -al ${nullChar} && echo \"bar"; console.log(cp.execSync(`echo ${shescape.quote(payload)}`)); // foototal 3 // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:44 . // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 00:09 .. // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:42 folder // -rw-r--r-- 1 owner XXXXXX 0 Mar 13 18:42 file ``` ### Patches The problem has been patched in [v1.1.3](https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3) which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, null characters can be stripped out manually using e.g. `arg.replace(/\u{0}/gu, "")`
Affected packages (1)
- npm/shescapefrom 0, < 1.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21384
- WEBhttps://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
- WEBhttps://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
- WEBhttps://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
- WEBhttps://www.npmjs.com/package/shescape