Advisories for Npm/Shescape package

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shescape.

Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.

The package shescape from 1.5.10 and before 1.6.1 is vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

This impacts users that use shescape to escape arguments: for the Unix shell Bash, or any not-officially-supported Unix shell; using the escape or escapeAll functions with the interpolation option set to true.

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells Bash and Dash, or any not-officially-supported Unix shell; and/or using the escape or escapeAll functions with the interpolation option set to true. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in …

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the escape or escapeAll functions with the interpolation option set to true. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after …

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character ('\n') in the payload. This bug has been patched in [v1.5.8] which you can upgrade to …

This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character (' ') in the payload.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shescape.

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of shescape is used, directory traversal may be possible in the …

shescape is a simple shell escape package for JavaScript. In shescape, anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched No further changes are required.