Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the Shescape JavaScript library versions prior to 2.1.10, specifically in the Shescape#escape() function. The function fails to escape square-bracket glob syntax characters ([ and ]) when used with Unix shells like Bash, BusyBox sh, and Dash. Because of this, if an attacker controls an input string containing square brackets (e.g., "secret[12]"), the shell interprets these brackets as glob patterns rather than literal characters.'}, {'type': 'paragraph', 'content': 'As a result, the input expands into multiple filesystem matches (such as "secret1" and "secret2") instead of being treated as a single literal argument. This means that one argument can be expanded into multiple trusted pathnames, potentially altering the behavior of shell commands that interpolate this escaped string directly.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 2.1.10 by updating the escaping logic to correctly escape square brackets, preventing unintended glob expansions.'}] [2, 1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing argument injection in shell commands that use Shescape#escape() output directly. Specifically, a single untrusted argument containing square brackets can expand into multiple filesystem pathnames, which may cause:

• Alteration of command behavior due to unexpected multiple arguments.
• Unintended targeting or manipulation of multiple files instead of a single intended file.
• Potential leakage of filenames or sensitive information through expanded glob patterns.

Any application that interpolates the output of Shescape#escape() into shell commands without proper quoting or escaping is vulnerable to these impacts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your application uses the shescape library version prior to 2.1.10 and if it calls Shescape#escape() to escape inputs that are then interpolated directly into shell commands executed in Bash, BusyBox sh, or Dash shells.'}, {'type': 'paragraph', 'content': 'A practical way to detect the vulnerability is to test if inputs containing square brackets are properly escaped. For example, running the following JavaScript code snippet in your environment can reveal the issue:'}, {'type': 'list_item', 'content': 'new Shescape({ shell: "/usr/bin/bash" }).escape("secret[12]")'}, {'type': 'paragraph', 'content': 'If the output is "secret[12]" unchanged, the vulnerability exists because the square brackets are not escaped and can cause glob expansion in the shell.'}, {'type': 'paragraph', 'content': 'Additionally, you can monitor shell commands executed by your application for unescaped square brackets in arguments, which may indicate vulnerable usage.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the shescape library to version 2.1.10 or later, where the vulnerability is fixed by correctly escaping square brackets in shell arguments for Bash, BusyBox, and Dash shells.

If upgrading is not immediately possible, avoid interpolating untrusted input containing square brackets directly into shell commands, or apply additional manual escaping for square brackets before passing inputs to the shell.

Review your code to ensure that any use of Shescape#escape() is not used as a fallback for quoting untrusted input without proper escaping, especially when targeting vulnerable shells.

Useful 0 Not Useful 0