{"id":"CVE-2022-31180","summary":"Insufficient escaping of whitespace in shescape","details":"Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\\u0085'` which is not included in JavaScript's definition of `\\s` for Regular Expressions.","aliases":["GHSA-44vr-rwwj-p88h"],"modified":"2026-04-16T04:08:35.192333Z","published":"2022-08-01T19:15:16Z","database_specific":{"cwe_ids":["CWE-74"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31180.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"},{"type":"WEB","url":"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31180.json"},{"type":"ADVISORY","url":"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31180"},{"type":"FIX","url":"https://github.com/ericcornelissen/shescape/pull/322"},{"type":"FIX","url":"https://github.com/ericcornelissen/shescape/pull/324"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ericcornelissen/shescape","events":[{"introduced":"8e0d66f7d69d12c96dce8fc9c539b7d9390dc425"},{"fixed":"8b6a0eefe08f9cd4340c3364aa90dda0acb31f18"},{"fixed":"10e1d0f64f38f97dac07d9a5ef1bd394393ed4b8"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"1.4.0"},{"fixed":"1.5.8"}],"cpe":"cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:*:*:*"}}],"versions":["v1.4.0","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.5.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31180.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}