GMS-2022-3205: Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD

July 15, 2022

This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character (' ‘) in the payload.

References

github.com/advisories/GHSA-jjc5-fp7p-6f8w
github.com/ericcornelissen/shescape/pull/332
github.com/ericcornelissen/shescape/releases/tag/v1.5.8
github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w

Detect and mitigate GMS-2022-3205 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →