CVE-2023-40185

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40185

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40185.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40185

Aliases

GHSA-j55r-787p-m549

Published

2023-08-23T20:20:45.807Z

Modified

2025-12-05T00:03:29.012527Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Shescape on Windows escaping may be bypassed in threaded context

Details

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-150"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40185.json"
}

References

Affected packages

Git / github.com/ericcornelissen/shescape

Affected ranges

Type: GIT
Repo: https://github.com/ericcornelissen/shescape
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5b0d2015093d607840c32782eee33c581e772df0

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.5.0

v1.5.1

v1.5.10

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.7.0

v1.7.1

v1.7.2

v1.7.3