Shescape is a JavaScript library designed to safely escape strings for use in shell commands. Prior to version 2.1.10, the escape() function failed to properly escape square-bracket glob syntax recognized by common Unix shells such as Bash, BusyBox sh, and Dash. This flaw means that when an application interpolates the output of escape() directly into a shell command, an attacker can supply input containing patterns like secret[12]. Instead of treating this as a literal string, the shell expands it into multiple filesystem matches (e.g., secret1, secret2), effectively turning one argument into multiple arguments. This behavior can lead to unintended exposure of sensitive filesystem paths or data, as the command operates on multiple files rather than a single trusted file. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Exploitation requires no privileges or user interaction and can be performed remotely if the application accepts attacker-controlled input. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and low impact on confidentiality and integrity. The vulnerability does not affect availability. The issue was publicly disclosed on March 11, 2026, and fixed in shescape version 2.1.10. No known exploits are currently in the wild. Organizations using vulnerable versions should upgrade and review their shell command construction practices to avoid direct interpolation of untrusted input.

This vulnerability can lead to unintended exposure of sensitive filesystem information by expanding attacker-controlled input into multiple shell glob matches. Organizations that use shescape versions prior to 2.1.10 in applications that construct shell commands by directly interpolating escape() output risk leaking confidential data or exposing trusted pathnames. The impact primarily affects confidentiality and integrity, as attackers may gain insight into filesystem structure or manipulate command arguments. Because exploitation requires no authentication or user interaction and can be triggered remotely, the attack surface is broad for affected applications. However, the impact is limited to scenarios where shell commands are constructed insecurely with untrusted input. There is no direct impact on system availability. Organizations handling sensitive data or running critical infrastructure with vulnerable shescape versions may face increased risk of information disclosure, potentially aiding further attacks or reconnaissance.

1. Upgrade all instances of the shescape library to version 2.1.10 or later, where the vulnerability is fixed. 2. Audit all application code that uses shescape#escape() to ensure that the returned strings are not directly interpolated into shell commands without proper sanitization. 3. Avoid constructing shell commands by concatenating or interpolating untrusted input; instead, use safer alternatives such as spawning processes with argument arrays that bypass shell interpretation. 4. Implement strict input validation and sanitization to reject or neutralize glob patterns and other shell metacharacters in user-supplied data. 5. Employ runtime monitoring and alerting for unusual shell command executions that include glob expansions or unexpected argument counts. 6. Educate developers on secure shell command construction practices and the risks of shell injection and glob expansion. 7. Where possible, replace shell command invocations with native APIs or libraries that do not require shell interpretation. 8. Conduct penetration testing focused on injection and glob expansion vectors to verify mitigation effectiveness.