CVE-2021-21384

Name of the Vulnerable Software and Affected Versions shescape versions prior to 1.1.3

Description The issue affects shescape, a simple shell escape package for JavaScript, where users may still be vulnerable to shell injection if an attacker manages to insert a null character into the payload. This can be exploited, for example, by inserting a null character in a payload on Windows. The problem has been patched in version 1.1.3.

Recommendations For versions prior to 1.1.3, upgrade to version 1.1.3 to resolve the issue. As a temporary workaround, consider stripping out null characters manually using a method like arg.replace(/u{0}/gu, "") until the upgrade to version 1.1.3 is applied.