Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package shescape, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (10)
CVE-2022-31180 — CVSS 9.8 (critical): Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when…
CVE-2022-31179 — CVSS 8.1 (high): Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows…
CVE-2026-32094 — CVSS 6.5 (medium): Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for…
CVE-2023-40185 — CVSS 6.5 (medium): shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The…
CVE-2021-21384 — CVSS 6.3 (medium): shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell…
CVE-2022-24725 — CVSS 6.2 (medium): Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix…
CVE-2022-25918 — CVSS 5.3 (medium): The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in…
CVE-2023-35931 — CVSS 3.1 (low): Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This…
CVE-2025-30222: Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable…
CVE-2026-30916: Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: Further investigation determined that the software behavior…