Vulnerability-Lookup

CVE-2022-24725 (GCVE-0-2022-24725)

Vulnerability from cvelistv5 – Published: 2022-03-03 21:35 – Updated: 2025-04-22 18:20

Title

Exposure of home directory through shescape on Unix with Bash

Summary

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.

Severity ?

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ericcornelissen/shescape/secur…	x_refsource_CONFIRM
	https://github.com/ericcornelissen/shescape/issues/169	x_refsource_MISC
	https://github.com/ericcornelissen/shescape/pull/170	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ericcornelissen	shescape	Affected: >= 1.4.0, < 1.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:49.870Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/issues/169"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/pull/170"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24725",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:49:34.610989Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T18:20:38.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shescape",
          "vendor": "ericcornelissen",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 1.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-03T21:35:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/issues/169"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/pull/170"
        }
      ],
      "source": {
        "advisory": "GHSA-446w-rrm4-r47f",
        "discovery": "UNKNOWN"
      },
      "title": "Exposure of home directory through shescape on Unix with Bash",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24725",
          "STATE": "PUBLIC",
          "TITLE": "Exposure of home directory through shescape on Unix with Bash"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "shescape",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.4.0, \u003c 1.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ericcornelissen"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f",
              "refsource": "CONFIRM",
              "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/issues/169",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/issues/169"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/170",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/pull/170"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-446w-rrm4-r47f",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24725",
    "datePublished": "2022-03-03T21:35:10.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-22T18:20:38.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/issues/169\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/170\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:20:49.870Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24725\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:49:34.610989Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:49:36.285Z\"}}], \"cna\": {\"title\": \"Exposure of home directory through shescape on Unix with Bash\", \"source\": {\"advisory\": \"GHSA-446w-rrm4-r47f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"ericcornelissen\", \"product\": \"shescape\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.4.0, \u003c 1.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/issues/169\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/170\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \\\"\\\\\\\\~\\\")`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-03-03T21:35:10.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-446w-rrm4-r47f\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 1.4.0, \u003c 1.5.1\"}]}, \"product_name\": \"shescape\"}]}, \"vendor_name\": \"ericcornelissen\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f\", \"name\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/issues/169\", \"name\": \"https://github.com/ericcornelissen/shescape/issues/169\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/170\", \"name\": \"https://github.com/ericcornelissen/shescape/pull/170\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \\\"\\\\\\\\~\\\")`.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-24725\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Exposure of home directory through shescape on Unix with Bash\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-24725\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T18:20:38.968Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-03-03T21:35:10.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-24725

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24725

Aliases

CVE-2022-24725

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24725",
    "description": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.",
    "id": "GSD-2022-24725"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24725"
      ],
      "details": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.",
      "id": "GSD-2022-24725",
      "modified": "2023-12-13T01:19:43.113614Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24725",
        "STATE": "PUBLIC",
        "TITLE": "Exposure of home directory through shescape on Unix with Bash"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "shescape",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 1.4.0, \u003c 1.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ericcornelissen"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f",
            "refsource": "CONFIRM",
            "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/issues/169",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/issues/169"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/pull/170",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/pull/170"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-446w-rrm4-r47f",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.4.0 \u003c1.5.1",
          "affected_versions": "All versions starting from 1.4.0 before 1.5.1",
          "cvss_v2": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2023-06-23",
          "description": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.",
          "fixed_versions": [
            "1.5.1"
          ],
          "identifier": "CVE-2022-24725",
          "identifiers": [
            "CVE-2022-24725",
            "GHSA-446w-rrm4-r47f"
          ],
          "not_impacted": "All versions before 1.4.0, all versions starting from 1.5.1",
          "package_slug": "npm/shescape",
          "pubdate": "2022-03-03",
          "solution": "Upgrade to version 1.5.1 or above.",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor",
          "urls": [
            "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f",
            "https://github.com/ericcornelissen/shescape/issues/169",
            "https://github.com/ericcornelissen/shescape/pull/170",
            "https://github.com/advisories/GHSA-446w-rrm4-r47f"
          ],
          "uuid": "ccfa8092-0705-4352-aeaa-6ebf37aabba9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.5.1",
                "versionStartIncluding": "1.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24725"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/170",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/pull/170"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/issues/169",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/issues/169"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-06-23T19:17Z",
      "publishedDate": "2022-03-03T22:15Z"
    }
  }
}

CNVD-2022-23465

Vulnerability from cnvd - Published: 2022-03-29

Title

shescape信息泄露漏洞

Description

shescape是开源的一个用于JavaScript的简单外壳转义程序包。使用它可以将用户控制的输入转义给shell命令，以防止shell注入。 shescape 1.4.0到1.5.1版本存在信息泄露漏洞，该漏洞源于使用Bash和shescape API中的escape或escapeAll函数并将interpolation选项设为true时，Unix系统上的主目录会被暴露，攻击者可利用该漏洞在使用shescape的应用程序中进行目录遍历。

Severity

低

Patch Name

shescape信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24725

Impacted products

Name
shescape shescape >=1.4.0，<=1.5.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24725"
    }
  },
  "description": "shescape\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8eJavaScript\u7684\u7b80\u5355\u5916\u58f3\u8f6c\u4e49\u7a0b\u5e8f\u5305\u3002\u4f7f\u7528\u5b83\u53ef\u4ee5\u5c06\u7528\u6237\u63a7\u5236\u7684\u8f93\u5165\u8f6c\u4e49\u7ed9shell\u547d\u4ee4\uff0c\u4ee5\u9632\u6b62shell\u6ce8\u5165\u3002\n\nshescape 1.4.0\u52301.5.1\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528Bash\u548cshescape API\u4e2d\u7684escape\u6216escapeAll\u51fd\u6570\u5e76\u5c06interpolation\u9009\u9879\u8bbe\u4e3atrue\u65f6\uff0cUnix\u7cfb\u7edf\u4e0a\u7684\u4e3b\u76ee\u5f55\u4f1a\u88ab\u66b4\u9732\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4f7f\u7528shescape\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u8fdb\u884c\u76ee\u5f55\u904d\u5386\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-23465",
  "openTime": "2022-03-29",
  "patchDescription": "shescape\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8eJavaScript\u7684\u7b80\u5355\u5916\u58f3\u8f6c\u4e49\u7a0b\u5e8f\u5305\u3002\u4f7f\u7528\u5b83\u53ef\u4ee5\u5c06\u7528\u6237\u63a7\u5236\u7684\u8f93\u5165\u8f6c\u4e49\u7ed9shell\u547d\u4ee4\uff0c\u4ee5\u9632\u6b62shell\u6ce8\u5165\u3002\r\n\r\nshescape 1.4.0\u52301.5.1\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528Bash\u548cshescape API\u4e2d\u7684escape\u6216escapeAll\u51fd\u6570\u5e76\u5c06interpolation\u9009\u9879\u8bbe\u4e3atrue\u65f6\uff0cUnix\u7cfb\u7edf\u4e0a\u7684\u4e3b\u76ee\u5f55\u4f1a\u88ab\u66b4\u9732\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4f7f\u7528shescape\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u8fdb\u884c\u76ee\u5f55\u904d\u5386\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "shescape\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "shescape shescape \u003e=1.4.0\uff0c\u003c=1.5.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24725",
  "serverity": "\u4f4e",
  "submitTime": "2022-03-04",
  "title": "shescape\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-446W-RRM4-R47F

Vulnerability from github – Published: 2022-03-03 19:26 – Updated: 2022-03-18 20:06

Summary

Exposure of home directory through shescape on Unix with Bash

Details

Impact

The issue allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zsh, are not affected.

const cp = require("child_process");
const shescape = require("shescape");

const payload = "home_directory=~";
const options = { interpolation: true };
console.log(cp.execSync(`echo ${shescape.escape(payload, options)}`));
// home_directory=/home/user

Depending on how the output of shescape is used, directory traversal may be possible in the application using shescape.

Patches

The issue was patched in v1.5.1.

Workarounds

Manually escape all instances of the tilde character (~) using arg.replace(/~/g, "\\~").

References

See GitHub issue https://github.com/ericcornelissen/shescape/issues/169.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-03T19:26:11Z",
    "nvd_published_at": "2022-03-03T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe issue allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected.\n\n```javascript\nconst cp = require(\"child_process\");\nconst shescape = require(\"shescape\");\n\nconst payload = \"home_directory=~\";\nconst options = { interpolation: true };\nconsole.log(cp.execSync(`echo ${shescape.escape(payload, options)}`));\n// home_directory=/home/user\n```\n\nDepending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_.\n\n### Patches\n\nThe issue was patched in `v1.5.1`.\n\n### Workarounds\n\nManually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.\n\n### References\n\nSee GitHub issue https://github.com/ericcornelissen/shescape/issues/169.\n",
  "id": "GHSA-446w-rrm4-r47f",
  "modified": "2022-03-18T20:06:07Z",
  "published": "2022-03-03T19:26:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/issues/169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/170"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of home directory through shescape on Unix with Bash"
}

FKIE_CVE-2022-24725

Vulnerability from fkie_nvd - Published: 2022-03-03 22:15 - Updated: 2024-11-21 06:50

Severity ?

6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ericcornelissen/shescape/issues/169	Exploit, Issue Tracking, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/pull/170	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/issues/169	Exploit, Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/pull/170	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	shescape_project	shescape	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "300F4AA8-8F2F-4AF5-B0B3-511E231C74DE",
              "versionEndExcluding": "1.5.1",
              "versionStartIncluding": "1.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."
    },
    {
      "lang": "es",
      "value": "Shescape es un paquete de escape de shell para JavaScript. Un problema en las versiones 1.4.0 a 1.5.1 permite una exposici\u00f3n del directorio de inicio en los sistemas Unix cuando es usada Bash con las funciones \"escape\" o \"escapeAll\u0027 de la API _shescape_ con la opci\u00f3n \"interpolation\" establecida en \"true\". Otros shells probados, Dash y Zsh, no est\u00e1n afectados. Dependiendo de c\u00f3mo es usada la salida de _shescape_, puede ser posible un salto de directorio en la aplicaci\u00f3n que usa _shescape_. El problema fue parcheado en la versi\u00f3n 1.5.1. Como medida de mitigaci\u00f3n, escape manualmente todas las instancias del car\u00e1cter tilde (\"~\") usando \"arg.replace(/~/g, \"\\~~\")`"
    }
  ],
  "id": "CVE-2022-24725",
  "lastModified": "2024-11-21T06:50:57.537",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 1.9,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-03T22:15:08.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/issues/169"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/170"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/issues/169"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/170"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24725 (GCVE-0-2022-24725)

GSD-2022-24725

CNVD-2022-23465

GHSA-446W-RRM4-R47F

Impact

Patches

Workarounds

References

FKIE_CVE-2022-24725

Tags

Sightings

Nomenclature