Anyzy2003

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 2.1.10 **Description** Shescape is a JavaScript library designed for shell escaping. Before version 2.1.10, the `Shescape#escape()` function did not properly escape square bracket glob syntax for Bash, BusyBox sh, and Dash shells. This could allow an attacker-controlled value, such as `secret[12]`, to expand into multiple filesystem matches instead of being treated as a single literal argument when interpolated directly into a shell command string. This can lead to argument injection, potentially altering command behavior, targeting unintended files, or leaking filenames. The issue stems from the lack of escaping for brackets in the Unix escape helpers within the library's code. **Recommendations** Update Shescape to version 2.1.10 or later.