CVE-2023-35931

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 1.7.1

Description An attacker may be able to get read-only access to environment variables. This issue affects users of Shescape on Windows using the Windows Command Prompt, and when using quote/quoteAll or escape/escapeAll with the interpolation option set to true. For example, an attacker can exploit this by using a payload like %PATH% in the shescape.quote() or shescape.escape() functions, allowing them to access the contents of the PATH environment variable.

Recommendations For versions prior to 1.7.1, upgrade to version 1.7.1 to patch the bug. As a temporary workaround, consider removing all instances of % from user input, either before or after using Shescape, to minimize the risk of exploitation.