GHSA-6f6w-6j58-rq76: Shell Injection in shescape via Symlink Chain Misidentification
Vulnerability ID: GHSA-6F6W-6J58-RQ76
CVSS Score: 8.7
Published: 2026-03-07
A high-severity vulnerability exists in the shescape npm package (versions prior to 2.1.9) due to improper resolution of symbolic link chains when identifying the system shell. This flaw allows the library to misidentify the target shell, applying incorrect escaping rules. Attackers can exploit this to bypass protections and inject arbitrary OS commands if the application executes commands in a shell configured via a symlink chain.
TL;DR
The shescape library failed to recursively resolve symbolic links for shell paths, leading to potential shell misidentification. This mismatch allows attackers to bypass argument escaping and execute arbitrary commands (RCE). Fixed in version 2.1.9.
⚠️ Exploit Status: POC
Technical Details
- CVE / GHSA ID: GHSA-6f6w-6j58-rq76
- CWE ID: CWE-78 (OS Command Injection)
- Secondary CWE: CWE-697 (Incorrect Comparison)
- CVSS Score: 8.7 (High)
- Attack Vector: Network
- Impact: Remote Code Execution (RCE)
Affected Systems
- Node.js applications using shescape < 2.1.9
- Systems where the configured shell is a symbolic link chain
-
shescape: < 2.1.9 (Fixed in:
2.1.9)
Code Analysis
Commit: e6df41c
Fix: recursive link resolution for shell identification
Mitigation Strategies
- Upgrade shescape to version 2.1.9 or later
- Refactor code to use
child_process.execFileorspawninstead of shell execution where possible - Avoid configuring shell paths using complex symlink chains if patching is not immediately possible
Remediation Steps:
- Identify dependency:
npm ls shescape - Update package:
npm install shescape@2.1.9 - Verify installation:
npm list shescapeshould show 2.1.9 - Test application to ensure shell command execution behaves as expected
References
Read the full report for GHSA-6F6W-6J58-RQ76 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)