{ "affected": [ { "ranges": [ { "events": [ { "introduced": "8e0d66f7d69d12c96dce8fc9c539b7d9390dc425" }, { "fixed": "542532a64e24ea85044259345451010ca0cce71e" } ], "repo": "https://github.com/ericcornelissen/shescape", "type": "GIT" } ] } ], "aliases": [ "GHSA-446w-rrm4-r47f" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24725.json" }, "details": "Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.", "id": "CVE-2022-24725", "modified": "2026-04-01T23:07:48.144277529Z", "published": "2022-03-03T21:35:10Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24725.json" }, { "type": "ADVISORY", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24725" }, { "type": "REPORT", "url": "https://github.com/ericcornelissen/shescape/issues/169" }, { "type": "FIX", "url": "https://github.com/ericcornelissen/shescape/pull/170" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Exposure of home directory through shescape on Unix with Bash" }