Description
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Shescape’s escape() function, before version 2.1.10, fails to escape square‑bracket glob syntax for Bash, BusyBox sh, and Dash. Because an attacker can supply a string such as secret[12] that is passed directly into a shell command, the shell performs glob expansion and replaces the token with multiple filesystem matches instead of a single literal argument. This results in unintended disclosure of filename information or presence of files. The nature of the weakness aligns with CWE‑200 Information Exposure. The primary impact, while not allowing arbitrary code execution, is that an attacker can learn sensitive filesystem details from the target environment. This impact is inferred from the description; the CVE itself does not state a direct data leak but the mechanics of glob expansion suggest information exposure.

Affected Systems

The flaw affects the shescape JavaScript library in all releases prior to 2.1.10. The affected CPE is cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:* . Any Node.js application that uses shescape’s escape() function to build shell command strings and then executes those commands is vulnerable. The weakness does not arise from the shell itself, but from the improper escaping performed by the library when later interpreted by Bash, BusyBox sh, or Dash.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. An EPSS score of less than 1% suggests very low likelihood of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require that an attacker can provide untrusted input to escape() and that the application unconditionally runs the resulting string through a shell interpreter; typical paths could involve local or remote injection of data that reaches the escape() call. Because the vulnerability only causes accidental glob expansion and does not grant arbitrary command execution, the exploitable damage is limited to information disclosure and potential misuse of trusted paths, but the risk remains significant for applications handling sensitive data.

Generated by OpenCVE AI on March 17, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update shescape to version 2.1.10 or newer
  • Verify that the output of escape() is used safely or passed to non‑shell contexts
  • Implement additional input validation to prevent unintended shell globbing

Generated by OpenCVE AI on March 17, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9jfh-9xrq-4vwm Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
History

Mon, 16 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Shescape Project
Shescape Project shescape
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*
Vendors & Products Shescape Project
Shescape Project shescape
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ericcornelissen
Ericcornelissen shescape
Vendors & Products Ericcornelissen
Ericcornelissen shescape

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
Title Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ericcornelissen Shescape
Shescape Project Shescape
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:54:17.725Z

Reserved: 2026-03-10T22:02:38.853Z

Link: CVE-2026-32094

cve-icon Vulnrichment

Updated: 2026-03-12T19:54:14.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:17.760

Modified: 2026-03-16T17:37:31.180

Link: CVE-2026-32094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:29Z

Weaknesses