What is CVE-2022-24725?

CVE-2022-24725 is a vulnerability in the Shescape package for JavaScript that allows for the exposure of the home directory on Unix systems when using certain functions with specific options.

What is the severity of CVE-2022-24725?

The severity of CVE-2022-24725 is medium with a CVSS score of 5.5.

How can the home directory be exposed in CVE-2022-24725?

The home directory can be exposed in CVE-2022-24725 when using the 'escape' or 'escapeAll' functions from the Shescape API with the 'interpolation' option set to 'true'.

Which versions of Shescape are affected by CVE-2022-24725?

Versions 1.4.0 to 1.5.1 of Shescape are affected by CVE-2022-24725.

Is there a fix for CVE-2022-24725?

Yes, the fix for CVE-2022-24725 can be found in the Shescape package version 1.5.2 and onwards.

Vulnerability/
CVE-2022-24725

medium

6.2

CWE

78 200

3/3/2022

3/8/2024

CVE-2022-24725: Exposure of home directory through shescape on Unix with Bash

First published: Thu Mar 03 2022(Updated: )

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Shescape Project Shescape Node.js	>=1.4.0<1.5.1

Remedy

https://github.com/ericcornelissen/shescape/pull/170

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-24725?
CVE-2022-24725 is a vulnerability in the Shescape package for JavaScript that allows for the exposure of the home directory on Unix systems when using certain functions with specific options.
What is the severity of CVE-2022-24725?
The severity of CVE-2022-24725 is medium with a CVSS score of 5.5.
How can the home directory be exposed in CVE-2022-24725?
The home directory can be exposed in CVE-2022-24725 when using the 'escape' or 'escapeAll' functions from the Shescape API with the 'interpolation' option set to 'true'.
Which versions of Shescape are affected by CVE-2022-24725?
Versions 1.4.0 to 1.5.1 of Shescape are affected by CVE-2022-24725.
Is there a fix for CVE-2022-24725?
Yes, the fix for CVE-2022-24725 can be found in the Shescape package version 1.5.2 and onwards.

agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/author
agent/remedy
agent/last-modified-date
agent/title
agent/severity
agent/first-publish-date
agent/description
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/shescape project
canonical/shescape project shescape node.js
version/shescape project shescape node.js/1.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.