CVE-2022-31179 Shescape is a simple JS escape package that was found to be vulnerable to code injection.

CVE-2022-31179 Shescape is a simple JS escape package that was found to be vulnerable to code injection.

Shescape 1.5.8 now escapes all arguments by default. Shescape does not escape the `'n'` character because that is a valid unescaped character and is not meant to be escaped. If the `'n'` character is required, a fallback to `'\n'` escaping should be considered. If you encounter non-issues with Shescape use, this bug is not relevant. An attacker can force any argument to be sent as the last argument by including a single `'n'` character in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. An attacker can force any argument to be sent as the last argument by including a single `'n'` character in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, a user can fix this by always enclosing the `'n'` characters in double quotes.

How do I know if I'm affected?

If you are using Shescape 1.5.8, any argument containing a single `'n'` character is forced to be the last argument.

How to exploit this vulnerability?

This issue is most likely to be exploited by malicious users via a Cross Site Scripting (XSS) attack. The following is an example of how this vulnerability could be exploited:

1. User 1 visits attacker's site and triggers the XSS attack
2. The attacker executes code on user 1's machine
3. The attacker sends code that uses the `'n'` character in the payload, which causes Shescape to transfer it as the last argument in the call
4. The payload causes Shescape to send a large number of arguments

Resolution

This bug was fixed in [v1.5.8] which you can upgrade to now. No further changes are required.

CVE-2023-31062

The security constraints in [v1.5.8] are stricter now and as such, the `'n'` character is not allowed to escape an argument in the body.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe