9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31180

CVE-2022-31180: Shescape vulnerable to insufficient escaping of whitespace

Impact

This only impacts users that use the escape or escapeAll functions with the interpolation option set to true. Example:

import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "bash",
  // Or
  shell: "dash",
  // Or
  shell: "powershell.exe",
  // Or
  shell: "zsh",
  // Or
  shell: undefined, // Only if the default shell is one of the affected shells.
};

// 2. Attack (one of multiple)
const payload = "foo #bar";

// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });

cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_

The result is that if an attacker is able to include whitespace in their input they can:

Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.
- Affected shells: Bash, Dash, Zsh, PowerShell
Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters.
- Affected shells: Bash
Invoke arbitrary commands by inserting a line feed character.
- Affected Shells: Bash, Dash, Zsh, PowerShell
Invoke arbitrary commands by inserting a carriage return character.
- Affected Shells: PowerShell

Patches

Behaviour number 1 has been patched in v1.5.7 which you can upgrade to now. No further changes are required.

Behaviour number 2, 3, and 4 have been patched in v1.5.8 which you can upgrade to now. No further changes are required.

Miggo Vulnerability Database

→

CVE-2022-31180

CVE-2022-31180:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shescape	npm	>= 1.4.0, < 1.5.8	1.5.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly states impact occurs when using escape/escapeAll with interpolation:true. Multiple pull requests (#322, #324, #332) modifying escaping logic for these functions were required to patch different attack vectors. The functions' purpose (shell escaping) and explicit mention in all impact scenarios make them clear candidates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31180: Shescape vulnerable to insufficient escaping of whitespace

Impact

Patches

CVE-2022-31180:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

9.8

9.8

Technical Details

CVE-2022-31180: Shescape vulnerable to insufficient escaping of whitespace

Impact

Patches

Workarounds

References

For more information

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31180: Shescape vulnerable to insufficient escaping of whitespace

Impact

Patches

CVE-2022-31180:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

9.8

9.8

Technical Details

CVE-2022-31180: Shescape vulnerable to insufficient escaping of whitespace

Impact

Patches

Workarounds

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI