CVE-2023-35931

LOW3.1EPSS 0.46%

Shescape potential environment variable exposure on Windows with CMD

Published: 6/22/2023Modified: 11/8/2023

Description

### Impact This impact users of Shescape: 1. On Windows using the Windows Command Prompt (i.e. `cmd.exe`), and 2. Using `quote`/`quoteAll` or `escape`/`escapeAll` with the `interpolation` option set to `true`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "cmd.exe", // Or shell: undefined, // Only if the default shell is CMD // And interpolation: true, // Only applies to `escape` and `escapeAll` usage } // 2. Attack (one of many) const payload = "%PATH%"; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload, options); // Or escapedPayload = shescape.quoteAll([payload], options); // Or escapedPayload = shescape.escape(payload, options); // Or escapedPayload = shescape.escapeAll([payload], options); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` ### Patches This bug has been patched in [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1) which you can upgrade to now. No further changes are required. ### Workarounds Alternatively, users can remove all instances of `%` from user input, either before or after using Shescape. ### References - Shescape Pull request [#982](https://github.com/ericcornelissen/shescape/pull/982) - Shescape commit [`d0fce70`](https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac) - Shescape Release [v1.7.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1)

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1LOW3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)