CWE
74
Advisory Published
Updated

CVE-2022-31180: Insufficient escaping of whitespace in shescape

First published: Mon Aug 01 2022(Updated: )

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Shescape Project Shescape>=1.4.0<1.5.8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-31180?

    CVE-2022-31180 is a vulnerability in the Shescape package for JavaScript that allows for insufficient escaping of white space when interpolating output.

  • How does CVE-2022-31180 impact users?

    CVE-2022-31180 only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`.

  • What is the severity of CVE-2022-31180?

    CVE-2022-31180 has a severity rating of 9.8 (Critical).

  • How can I fix CVE-2022-31180?

    To fix CVE-2022-31180, users should update to version 1.5.8 or later of the Shescape package.

  • Is there any additional information about CVE-2022-31180?

    More information about CVE-2022-31180 can be found in the following references: [GitHub Pull Request #322](https://github.com/ericcornelissen/shescape/pull/322), [GitHub Pull Request #324](https://github.com/ericcornelissen/shescape/pull/324), [GitHub Release v1.5.7](https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203