CVE-2025-30222 LOW

CVE-2025-30222: Shescape has potential environment variable exposure on Windows with CMD

Vendor Ericcornelissen

Product shescape

Weakness CWE-200 · Info exposure

Published March 25, 2025

Last update March 26, 2025

View on NVD All CVEs

CVSS base score

2.1/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. This bug has been patched in v2.1.2. For those who are already using v2 of Shescape, no further changes are required. Those who are are using v1 of Shescape should follow the migration guide to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. As a workaround, users can remove all instances of `%` from user input before using Shescape.

Key dates

02Disclosure timeline

March 25, 2025 CVE published

March 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-30222

Related vulnerabilities

CVE-2025-30222: Shescape has potential environment variable exposure on Windows with CMD

01Description

02Disclosure timeline

03References

04Related CVE