3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-35931

GHSA ID

GHSA-3g7p-8qhx-mc8r

EPSS Score

0.48919%

CWE

CWE-526

Published

6/22/2023

Updated

11/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-35931

CVE-2023-35931: Shescape potential environment variable exposure on Windows with CMD

Impact

This impact users of Shescape:

On Windows using the Windows Command Prompt (i.e. cmd.exe), and
Using quote/quoteAll or escape/escapeAll with the interpolation option set to true.

An attacker may be able to get read-only access to environment variables. Example:

import * as cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
    shell: "cmd.exe",
    // Or
    shell: undefined, // Only if the default shell is CMD

    // And
    interpolation: true, // Only applies to `escape` and `escapeAll` usage
}

// 2. Attack (one of many)
const payload = "%PATH%";

// 3. Usage
let escapedPayload;

escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);

// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);

// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable

Patches

This bug has been patched in v1.7.1 which you can upgrade to now. No further changes are required.

Workarounds

Alternatively, users can remove all instances of % from user input, either before or after using Shescape.

References

Shescape Pull request #982
Shescape commit d0fce70
Shescape Release v1.7.1

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-35931

GHSA ID

GHSA-3g7p-8qhx-mc8r

EPSS Score

0.48919%

CWE

CWE-526

Published

6/22/2023

Updated

11/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shescape	npm	< 1.7.1	1.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inadequate escaping of '%' characters in Windows CMD handling. The commit diff shows both functions in src/win/cmd.js were modified to add '%' escaping:

escapeArgForInterpolation's regex was expanded to include '%' in the character set
escapeArgForQuoted explicitly added a '%' replacement. These functions are directly responsible for argument sanitization when using quote/escape methods with CMD, and their pre-patch behavior allowed environment variable expansion through unescaped '%' characters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is imp**t us*rs o* S**s**p*: *. On Win*ows usin* t** Win*ows *omm*n* Prompt (i.*. `*m*.*x*`), *n* *. Usin* `quot*`/`quot**ll` or `*s**p*`/`*s**p**ll` wit* t** `int*rpol*tion` option s*t to `tru*`. *n *tt**k*r m*y ** **l* to **t r***-o

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* *s**pin* o* '%' ***r**t*rs in Win*ows *M* **n*lin*. T** *ommit *i** s*ows *ot* *un*tions in sr*/win/*m*.js w*r* mo*i*i** to *** '%' *s**pin*: *. *s**p**r**orInt*rpol*tion's r***x w*s *xp*n*** to in*lu** '%' in

3.1

Basic Information

Concerned about an active attack path?

CVE-2023-35931: Shescape potential environment variable exposure on Windows with CMD

Impact

Patches

Workarounds

References

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI