CVE-2022-31179

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 1.5.8

Description The issue impacts users of Shescape who use any API function to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character ( ) in the payload. This allows for code injection on Windows.

Recommendations For versions prior to 1.5.8, upgrade to version 1.5.8 to resolve the issue. No further changes are required. Alternatively, line feed characters ( ) can be stripped out manually or the user input can be made the last argument to limit the impact.