Shescape Environment Variable Exposure Vulnerability in Windows CMD

A vulnerability in Shescape, a shell escape library for JavaScript, allows for potential exposure of environment variables on Windows when using CMD. This issue affects Shescape versions 1.7.2 through 2.1.1. The vulnerability arises when users explicitly set the shell to 'cmd.exe' or enable the shell option, and utilize any of the quoting or escaping functions. An attacker could exploit this to gain read-only access to environment variables, such as the PATH variable.

Impact

Exploitation of this vulnerability could lead to unauthorized read access of environment variables in the Windows CMD environment.

Reproduction

To reproduce this vulnerability, configure Shescape to use 'cmd.exe' as the shell. Then, use one of the escaping or quoting methods while including a payload that references an environment variable, such as PATH. The vulnerability can be confirmed if the output includes the contents of the referenced environment variable, indicating that it was successfully accessed through the exploitation.

Remediation

Users can upgrade to Shescape version 2.1.2, which addresses this vulnerability. Those using version 1 of Shescape should follow the migration guide to upgrade to version 2.