CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 1CVE-2023-40185 – Shescape on Windows escaping may be bypassed in threaded context
https://notcve.org/view.php?id=CVE-2023-40185
23 Aug 2023 — shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4. • https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35931 – Shescape potential environment variable exposure on Windows with CMD
https://notcve.org/view.php?id=CVE-2023-35931
23 Jun 2023 — Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1. • https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-25918 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2022-25918
27 Oct 2022 — The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. El paquete shescape de 1.5.10 y anteriores a 1.6.1 es vulnerable a la Denegación de Servicio de Expresión Regular (ReDoS) a través de la función de escape en index.js, debido al uso de expresiones regulares inseguras en la función escapeArgBash. • https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52 • CWE-1333: Inefficient Regular Expression Complexity •