CVE-2025-30222: Shescape has potential environment variable exposure on Windows with CMD

First published: Tue Mar 25 2025(Updated: )

### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import { Shescape } from "shescape"; // 1. Prerequisites const shescape = new Shescape({ shell: "cmd.exe", // Or shell: true, // Only if the default shell is CMD }); // 2. Payload const payload = '"%PATH%'; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload); // Or escapedPayload = shescape.quoteAll([payload]); // Or escapedPayload = shescape.escape(payload); // Or escapedPayload = shescape.escapeAll([payload]); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` For Shescape prior to v2.0.0, the `options` object must have `shell: 'cmd.exe'` or `shell: undefined` and `interpolation: true`. ### Patches This bug has been patched in [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) which you can upgrade to now. If you are already using v2 of Shescape, no further changes are required. If you are using v1 of Shescape, follow the [migration guide](https://github.com/ericcornelissen/shescape/blob/155b13b4141750203ce71249f1b0fdc638c7a0d0/docs/migration.md) to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. ### Workarounds Alternatively, users can remove all instances of % from user input before using Shescape. ### References - Shescape Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Shescape commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Shescape release [v2.1.2](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2) ### For more information - Comment on Pull Request [#1916](https://github.com/ericcornelissen/shescape/pull/1916) - Comment on commit [0a81f1e](https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6) - Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues) (New issue > Question)

Credit: security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/title
• agent/weakness
• agent/type
• agent/first-publish-date
• agent/severity
• agent/author
• agent/references
• agent/source
• agent/description
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-66pp-5p9w-q87j
• alias/CVE-2025-30222
• agent/software-canonical-lookup
• collector/nvd-api
• source/NVD
• agent/last-modified-date
• agent/guess-ai
• agent/software-canonical-lookup-request
• agent/tags
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• collector/nvd-cve
• agent/event
• collector/epss-latest
• source/FIRST
• agent/epss
• collector/github-advisory
• package-manager/npm
• vendor/shescape
• canonical/shescape