Site icon API Security Blog

Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD

### Impact

This impacts users that use Shescape (any API function) to escape arguments for **cmd.exe** on **Windows**. An attacker can omit all arguments following their input by including a line feed character (`’n’`) in the payload. Example:

“`javascript
import cp from “node:child_process”;
import * as shescape from “shescape”;

// 1. Prerequisites
const options = {
shell: “cmd.exe”,
};

// 2. Attack
const payload = “attackern”;

// 3. Usage
let escapedPayload;
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options)[0];
// Or
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options)[0];

cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options);
// Outputs: “Hello attacker”
“`

> **Note**: `execSync` is just illustrative here, all of `exec`, `execFile`, `execFileSync`, `fork`, `spawn`, and `spawnSync` can be attacked using a line feed character if CMD is the shell being used.

### Patches

This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required.

### Workarounds

Alternatively, line feed characters (`’n’`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

### References

– https://github.com/ericcornelissen/shescape/pull/332
– https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8

### For more information

If you have any questions or comments about this advisory:

– Comment on https://github.com/ericcornelissen/shescape/pull/332
– Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ > _Question_ > _Get started_)

[v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8Read More

Exit mobile version