CVE-2022-24725 Information

Description

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells Dash and Zsh are not affected. Depending on how the output of shescape is used directory traversal may be possible in the application using shescape. The issue was patched in version 1.5.1. As a workaround manually escape all instances of the tilde character (~) using arg.replace(/~/g \\\~\).

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/ericcornelissen/shescape/pull/170 https://github.com/ericcornelissen/shescape/issues/169 https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5