Information disclosure in Ericcornelissen Shescape

CVE-2025-30222

Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure `shell…

Vulnerability class: Information Disclosure

EPSS: 0.001 (28.4th percentile) — read the EPSS interpretation.

Affected products

Ericcornelissen Shescape — versions >= 1.7.2, < 2.1.2

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/ericcornelissen/shescape/security/advisories/GHSA-66pp-5p9w-q87j (x_refsource_CONFIRM)
https://github.com/ericcornelissen/shescape/pull/1916 (x_refsource_MISC)
https://github.com/ericcornelissen/shescape/commit/0a81f1eb077bab8caae283a2490cd7be9af179c6 (x_refsource_MISC)
https://github.com/ericcornelissen/shescape/releases/tag/v2.1.2 (x_refsource_MISC)