Shescape is a JavaScript library designed to safely escape shell commands to prevent injection attacks. Versions prior to 2.1.9 contain a vulnerability (CVE-2026-30916) classified under CWE-200, which involves the exposure of sensitive information to unauthorized actors. The root cause is a bypass of the escaping mechanism when the shell configured in Shescape points to a file on disk that is a symbolic link to another symbolic link. This chaining of symbolic links can cause Shescape to incorrectly identify the shell or fail to apply proper escaping. As a result, an attacker can craft inputs that bypass the escaping protections, potentially causing sensitive data exposure. The exact impact depends on the shell environment and how Shescape interprets the shell path. The vulnerability is remotely exploitable without authentication or user interaction, but the scope is limited to environments using vulnerable Shescape versions with such shell configurations. The issue was publicly disclosed on March 9, 2026, and fixed in version 2.1.9. No known exploits have been reported in the wild, indicating limited active exploitation.

Organizations using Shescape versions prior to 2.1.9 in environments where the shell is configured as a symbolic link to another link are at risk of sensitive information exposure. This could include leakage of environment variables, command outputs, or other data accessible via shell commands. While the vulnerability does not allow direct code execution or system compromise, exposure of sensitive information can facilitate further attacks such as credential theft or privilege escalation. The impact is primarily on confidentiality, with limited effect on integrity or availability. Since Shescape is a niche JavaScript library, the overall affected population is relatively small, but organizations relying on it in critical systems or automated scripts could face data leakage risks. The lack of authentication or user interaction requirements increases the risk of remote exploitation in exposed environments.

Upgrade all instances of Shescape to version 2.1.9 or later to ensure the vulnerability is patched. Review shell configurations to avoid using shells that are symbolic links to other links, or validate and sanitize shell paths before use. Implement strict input validation and sanitization in any code invoking shell commands, even when using escaping libraries. Employ runtime monitoring to detect unusual shell command executions or unexpected data exposures. Limit the permissions and environment variables accessible to shell commands to minimize sensitive data exposure. Conduct code audits and dependency scans regularly to identify and remediate vulnerable library versions. Where possible, isolate environments running vulnerable versions to reduce exposure and apply network segmentation to limit attacker access.