Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNTVyLTc4N3AtbTU0Oc4AA1aq
Shescape on Windows escaping may be bypassed in threaded context
Impact
This may impact users that use Shescape on Windows in a threaded context (e.g. using Worker threads). The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell.
This snippet demonstrates a vulnerable use of Shescape:
// vulnerable.js
import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';
import * as shescape from "shescape";
if (isMainThread) {
// 1. Something like a worker thread must be used. The reason being that they
// unexpectedly change environment variable names on Windows.
new Worker("./vulnerable.js");
} else {
// 2. Example configuration that's problematic. In this setup example the
// expected default system shell is CMD. We configure the use of PowerShell.
// Shescape will fail to look up PowerShell and default to escaping for CMD
// instead, resulting in the vulnerability.
const options = {
shell: "powershell",
interpolation: true,
};
// 3. Using shescape to protect against attacks, this is correct.
const escaped = shescape.escape("&& ls", options);
// 4. Invoking a command with the escaped user input, this is vulnerable in
// this case.
exec(`echo Hello ${escaped}`, options, (error, stdout) => {
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
}
});
}
Patches
This bug has been patched in v1.7.4 which you can upgrade to now. No further changes are required.
Workarounds
If you are impacted there is no workaround possible.
References
For more information
- Comment on Pull Request #1142
- Comment on commit
0b976da
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNTVyLTc4N3AtbTU0Oc4AA1aq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Identifiers: GHSA-j55r-787p-m549, CVE-2023-40185
References:
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
- https://github.com/ericcornelissen/shescape/pull/1142
- https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
- https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
- https://nvd.nist.gov/vuln/detail/CVE-2023-40185
- https://github.com/advisories/GHSA-j55r-787p-m549
Blast Radius: 12.4
Affected Packages
npm:shescape
Dependent packages: 15Dependent repositories: 28
Downloads: 14,386 last month
Affected Version Ranges: < 1.7.4
Fixed in: 1.7.4
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3
All unaffected versions: 1.7.4, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1