An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYycnAtMzh2Zy1qM2do

Null characters not escaped


Anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a null character into the payload. For example (on Windows):

const cp = require("child_process");
const shescape = require("shescape");

const nullChar = String.fromCharCode(0);
const payload = "foo\" && ls -al ${nullChar} && echo \"bar";
console.log(cp.execSync(`echo ${shescape.quote(payload)}`));
// foototal 3
// drwxr-xr-x 1 owner XXXXXX      0 Mar 13 18:44 .
// drwxr-xr-x 1 owner XXXXXX      0 Mar 13 00:09 ..
// drwxr-xr-x 1 owner XXXXXX      0 Mar 13 18:42 folder                                                                 
// -rw-r--r-- 1 owner XXXXXX      0 Mar 13 18:42 file


The problem has been patched in v1.1.3 which you can upgrade to now. No further changes are required.


Alternatively, null characters can be stripped out manually using e.g. arg.replace(/\u{0}/gu, "")

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 10 months ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N

Identifiers: GHSA-f2rp-38vg-j3gh, CVE-2021-21384

Affected Packages

Versions: < 1.1.3
Fixed in: 1.1.3