cvedb.io
CVE-2022-31180
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2022-08-01T20:15:08.237 · Last modified 2026-06-17T04:44:58.363

Summary

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.

Affected products

shescape_project — shescape

Does this affect you?

Add your gear to cvedb and we'll alert you only when shescape_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.