CVE-2022-24725 - Vulnerability Details - OpenCVE

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Shescape Project	Shescape

Configuration 1 [-]

cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/ericcornelissen/shescape/issues/169
https://github.com/ericcornelissen/shescape/pull/170
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f

History

Tue, 22 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-03T21:35:10.000Z

Updated: 2025-04-22T18:20:38.968Z

Reserved: 2022-02-10T00:00:00.000Z

Link: CVE-2022-24725

Vulnrichment

Updated: 2024-08-03T04:20:49.870Z

NVD

Status : Modified

Published: 2022-03-03T22:15:08.950

Modified: 2024-11-21T06:50:57.537

Link: CVE-2022-24725

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "shescape", "vendor": "ericcornelissen", "versions": [{"status": "affected", "version": ">= 1.4.0, < 1.5.1"}]}], "descriptions": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-03T21:35:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/issues/169"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/pull/170"}], "source": {"advisory": "GHSA-446w-rrm4-r47f", "discovery": "UNKNOWN"}, "title": "Exposure of home directory through shescape on Unix with Bash", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24725", "STATE": "PUBLIC", "TITLE": "Exposure of home directory through shescape on Unix with Bash"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "shescape", "version": {"version_data": [{"version_value": ">= 1.4.0, < 1.5.1"}]}}]}, "vendor_name": "ericcornelissen"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f", "refsource": "CONFIRM", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"}, {"name": "https://github.com/ericcornelissen/shescape/issues/169", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/issues/169"}, {"name": "https://github.com/ericcornelissen/shescape/pull/170", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/pull/170"}]}, "source": {"advisory": "GHSA-446w-rrm4-r47f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.870Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/issues/169"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/pull/170"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:49:34.610989Z", "id": "CVE-2022-24725", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T18:20:38.968Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24725", "datePublished": "2022-03-03T21:35:10.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-22T18:20:38.968Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/ericcornelissen/shescape/issues/169", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ericcornelissen/shescape/pull/170", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.870Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24725", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:49:34.610989Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:49:36.285Z"}}], "cna": {"title": "Exposure of home directory through shescape on Unix with Bash", "source": {"advisory": "GHSA-446w-rrm4-r47f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ericcornelissen", "product": "shescape", "versions": [{"status": "affected", "version": ">= 1.4.0, < 1.5.1"}]}], "references": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ericcornelissen/shescape/issues/169", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ericcornelissen/shescape/pull/170", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-03-03T21:35:10.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-446w-rrm4-r47f", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": ">= 1.4.0, < 1.5.1"}]}, "product_name": "shescape"}]}, "vendor_name": "ericcornelissen"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f", "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f", "refsource": "CONFIRM"}, {"url": "https://github.com/ericcornelissen/shescape/issues/169", "name": "https://github.com/ericcornelissen/shescape/issues/169", "refsource": "MISC"}, {"url": "https://github.com/ericcornelissen/shescape/pull/170", "name": "https://github.com/ericcornelissen/shescape/pull/170", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-24725", "STATE": "PUBLIC", "TITLE": "Exposure of home directory through shescape on Unix with Bash", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-24725", "state": "PUBLISHED", "dateUpdated": "2025-04-22T18:20:38.968Z", "dateReserved": "2022-02-10T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-03-03T21:35:10.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "300F4AA8-8F2F-4AF5-B0B3-511E231C74DE", "versionEndExcluding": "1.5.1", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`."}, {"lang": "es", "value": "Shescape es un paquete de escape de shell para JavaScript. Un problema en las versiones 1.4.0 a 1.5.1 permite una exposici\u00f3n del directorio de inicio en los sistemas Unix cuando es usada Bash con las funciones \"escape\" o \"escapeAll' de la API _shescape_ con la opci\u00f3n \"interpolation\" establecida en \"true\". Otros shells probados, Dash y Zsh, no est\u00e1n afectados. Dependiendo de c\u00f3mo es usada la salida de _shescape_, puede ser posible un salto de directorio en la aplicaci\u00f3n que usa _shescape_. El problema fue parcheado en la versi\u00f3n 1.5.1. Como medida de mitigaci\u00f3n, escape manualmente todas las instancias del car\u00e1cter tilde (\"~\") usando \"arg.replace(/~/g, \"\\~~\")`"}], "id": "CVE-2022-24725", "lastModified": "2024-11-21T06:50:57.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T22:15:08.950", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/issues/169"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/pull/170"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/issues/169"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/pull/170"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}