CVE-2026-30916
Shell Escape Bypass in Shescape JavaScript Library Allows Data Exposure
Publication date: 2026-03-10
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ericcornelissen | shescape | 2.1.9 |
| ericcornelissen | shescape | to 2.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30916 is a vulnerability in the Shescape JavaScript library, which is used for shell escaping. The issue arises when the shell path configured in Shescape is a symbolic link (symlink) that points to another symlink, creating a chain of links. Prior to version 2.1.9, Shescape did not properly resolve these recursive symlinks, which could lead to incorrect identification of the actual shell executable.
This incorrect shell identification can allow an attacker to bypass the escaping mechanisms that Shescape provides, potentially enabling unsafe input to be executed or sensitive information to be exposed.
The vulnerability was fixed in version 2.1.9 by implementing recursive symlink resolution, loop detection to prevent infinite loops, and improved handling of relative symlinks.
How can this vulnerability impact me? :
If you use Shescape with a shell path configured as a symlink to another symlink, this vulnerability can allow an attacker to bypass the shell escaping protections.
This can lead to exposure of sensitive information, such as revealing user environment details, or potentially allow execution of unsafe shell commands due to improper escaping.
The exact impact depends on the shell being used and how Shescape misidentifies it, but it generally increases the risk of security issues related to command injection or information leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the shell configured in your environment is a symbolic link that points to another symbolic link (a chain of symlinks). Such chained symlinks can cause Shescape to misidentify the shell and bypass escaping.
To detect this on a Unix-like system, you can use commands to inspect the shell path and resolve symlinks recursively. For example:
- Use `ls -l $(which sh)` or `ls -l /bin/sh` to check if the shell is a symlink.
- Use `readlink -f $(which sh)` to resolve the full chain of symlinks to the actual executable.
- If `readlink -f` is not available, use a loop with `readlink` to manually resolve symlinks until the final target is found.
If the shell path is a symlink to another symlink (a link-to-link), this indicates the vulnerable condition described in CVE-2026-30916.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Shescape library to version 2.1.9 or later, where the vulnerability has been fixed.
If upgrading is not immediately possible, you should avoid configuring your shell path to a symbolic link that points to another symbolic link.
Alternatively, avoid using a shell specified via chained symbolic links altogether to prevent the bypass of escaping mechanisms.