CVE-2022-31180

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 1.5.8

Description The issue impacts users of the escape or escapeAll functions with the interpolation option set to true. If an attacker can include whitespace in their input, they can invoke shell-specific behavior or arbitrary commands through various means, including shell-specific special characters, line feed, or carriage return characters. This affects multiple shells, including Bash, Dash, Zsh, and PowerShell.

Recommendations To resolve the issue, upgrade to version 1.5.8 or later. No further changes are required. As a temporary workaround, consider avoiding the use of the interpolation: true option, as using an alternative is often possible. See the recipes for recommendations. Alternatively, users may strip all whitespace from user input, but note that this approach is error-prone and may require additional considerations, such as stripping 'u0085' for PowerShell, which is not included in JavaScript's definition of s for Regular Expressions.