CVE-2026-32094: Argument Injection via Incomplete Shell Escaping in shescape

The shescape library provides utility functions for escaping strings intended for use in shell commands. The library is commonly used in Node.js applications to sanitize untrusted user input before passing it to functions like child_process.exec.

The vulnerability exists in the Shescape#escape() method when the library is configured to target Unix-like shells, specifically Bash, BusyBox sh, and Dash. In versions prior to 2.1.10, the escaping logic fails to neutralize specific shell metacharacters.

Because square brackets ([ and ]) are omitted from the library's escaping character set, attackers can supply input containing these characters to trigger unintended pathname expansion (globbing). This manipulation results in argument injection and exposes sensitive information to unauthorized actors, recorded under CWE-200.

The core issue resides in the regular expression used by shescape to identify special characters that require backslash escapes. The library relies on a blacklist approach to sanitize inputs destined for unquoted command strings.

Unix shells evaluate certain unquoted characters for pathname expansion before executing a command. While the library correctly escaped common globbing operators like * and ?, it omitted the square bracket characters [ and ], which are used to define character classes or ranges.

When shescape processes an input string containing square brackets, it returns the string unmodified. If an application interpolates this unmodified string into a command execution sink, the underlying shell interprets the brackets as globbing instructions, attempting to match the pattern against files in the current working directory.

The vulnerable implementation defines a static regular expression containing the character class of metacharacters requiring escape sequences. This regex governs the sanitization process for target shells.

In src/internal/unix/bash.js, the pre-patch regular expression omits the square bracket characters entirely:

// Vulnerable: Missing [ and ] in the character class
const specials = new RegExp("([\"$&'()*;<>?`{|])", "g");

The fix, introduced in commit 6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a, appends [ and \] to the character class. This modification ensures that the library prefixes these characters with a backslash during processing.

// Patched: Correctly includes [ and \] for escaping
const specials = new RegExp("([\"$&'()*;<>?[\\]`{|])", "g");

While this patch addresses the direct globbing issue for standard shell configurations, developers must exercise caution if advanced shell features like extglob are enabled in Bash. Extended globbing patterns (e.g., @(...) or !(...)) require additional parsing logic that falls outside the scope of this specific patch.

Exploitation requires the target application to accept user input, process it through shescape.escape(), and interpolate the result directly into a shell command without enclosing it in quotes. The attacker must also have knowledge of or guess filenames present in the target directory.

Consider an attacker submitting the payload secret[12] to an application that constructs a command using the vulnerable library.

const shescape = require('shescape');
// Attacker provides: "secret[12]"
const userInput = req.body.filename; 
const escaped = shescape.escape(userInput); 
 
// Application executes the command
exec(`cat ${escaped}`);

When the shell executes cat secret[12], it performs pathname expansion. If files named secret1 and secret2 exist, the shell expands the single argument into two distinct arguments. The final executed command becomes cat secret1 secret2, processing multiple files instead of the single intended file.

The primary security impact is argument injection. By exploiting the unescaped globbing characters, an attacker forces the application to evaluate unintended files or parameters.

This behavior facilitates local file inclusion or sensitive information exposure. An attacker can systematically extract configuration files, logs, or credentials if the vulnerable application returns the output of the executed command in its HTTP response.

The vulnerability carries a CVSS v4.0 score of 6.9. The severity is bounded by the requirement that specific files must exist on the local filesystem to trigger the glob expansion. If the glob pattern does not match any existing files, the shell typically treats the string as a literal, neutralizing the attack.

The definitive remediation is upgrading the shescape dependency to version 2.1.10 or later. This version contains the updated regular expressions for Bash, BusyBox sh, and Dash.

In environments where immediate patching is not feasible, developers must wrap the interpolated variables in single quotes within the shell command. Single quotes instruct the shell to treat all enclosed characters as string literals, preventing pathname expansion.

Additionally, developers can implement input validation to reject payloads containing unexpected characters. Rejecting inputs that contain [, ], *, or ? provides a robust defense-in-depth mechanism against shell expansion attacks.