CVE-2026-32094 Overview
CVE-2026-32094 is an Input Validation Error vulnerability in Shescape, a JavaScript shell escape library. Prior to version 2.1.10, the Shescape#escape() function fails to properly escape square-bracket glob syntax for Bash, BusyBox sh, and Dash shells. Applications that interpolate the return value directly into a shell command string can allow an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, effectively turning one argument into multiple trusted-pathname matches.
Critical Impact
Attackers can bypass shell escaping mechanisms to expand glob patterns, potentially accessing unintended files or causing unexpected command behavior through argument injection.
Affected Products
- Shescape JavaScript library versions prior to 2.1.10
- Applications using Bash, BusyBox sh, or Dash shells with vulnerable Shescape versions
- Node.js applications implementing shell command construction with Shescape escape functions
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32094 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32094
Vulnerability Analysis
This vulnerability stems from incomplete input sanitization in the Shescape library's escape functionality. The Shescape#escape() function is designed to safely escape user-provided input before it is interpolated into shell commands. However, the function fails to account for square-bracket glob syntax, which is a shell pattern matching feature used in Bash, BusyBox sh, and Dash.
When an attacker provides input containing square brackets (e.g., secret[12]), the escape function passes these characters through unmodified. When the escaped string is subsequently used in a shell command, the shell interprets the square brackets as glob patterns. This causes the shell to expand the pattern to match filenames on the filesystem, potentially matching files like secret1 or secret2 instead of treating the input as the literal string secret[12].
The vulnerability is classified under CWE-200 (Information Exposure), as successful exploitation can lead to unintended information disclosure by accessing files that match the glob pattern.
Root Cause
The root cause is missing input sanitization for shell glob metacharacters in the Shescape#escape() function. The library correctly escapes many shell special characters but overlooks square brackets ([ and ]), which are valid glob pattern syntax in POSIX-compatible shells. This oversight allows glob expansion to occur when the escaped value is used in shell command interpolation.
Attack Vector
The attack vector is network-based, requiring no special privileges or user interaction. An attacker can exploit this vulnerability by providing maliciously crafted input to any application that:
- Accepts user-controlled input
- Processes that input through Shescape#escape()
- Interpolates the escaped result directly into a shell command string
- Executes the command using Bash, BusyBox sh, or Dash
For example, if an application constructs a command like cat ${shescape.escape(userInput)} and the attacker provides config[123], the shell may expand this to match multiple configuration files, potentially exposing sensitive data or causing unexpected command behavior.
Detection Methods for CVE-2026-32094
Indicators of Compromise
- Unexpected file access patterns in application logs showing glob-like patterns with square brackets
- Shell command execution logs containing expanded file lists instead of single literal arguments
- Error messages indicating multiple file matches when single file arguments were expected
- Unusual filesystem access to multiple files with similar naming patterns
Detection Strategies
- Audit application dependencies for Shescape versions prior to 2.1.10 using package management tools
- Implement runtime monitoring for shell command construction patterns that include user-controlled input
- Review application logs for commands containing square-bracket patterns in arguments
- Use static code analysis to identify instances where Shescape#escape() output is interpolated into shell commands
Monitoring Recommendations
- Enable verbose logging for shell command execution in affected applications
- Monitor for anomalous file access patterns that suggest glob expansion exploitation
- Implement alerting for dependency vulnerability scanning results that flag Shescape
- Track changes to sensitive configuration or data files that could be targeted via glob expansion
How to Mitigate CVE-2026-32094
Immediate Actions Required
- Update Shescape to version 2.1.10 or later immediately
- Audit all application code paths that use Shescape#escape() for shell command construction
- Implement additional input validation to reject or escape square-bracket characters before processing
- Review file access logs for any signs of exploitation prior to patching
Patch Information
The vulnerability is addressed in Shescape version 2.1.10. The fix properly escapes square-bracket glob syntax to prevent shell expansion. The patch is available via the GitHub commit 6add105c6f6b508662bb5ae3b3bdd4c9bcebf37a. For complete technical details, refer to the GitHub Security Advisory GHSA-9jfh-9xrq-4vwm.
Workarounds
- Manually escape square brackets in user input before passing to Shescape#escape() by replacing [ with \[ and ] with \]
- Use shell quote functions that fully quote arguments rather than selective escaping
- Avoid direct string interpolation of escaped values into shell commands; prefer array-based command construction with child_process.spawn() instead of child_process.exec()
- Implement allowlist validation on user input to reject any characters not explicitly required
# Example: Update Shescape to patched version
npm update shescape@2.1.10
# Verify installed version
npm list shescape
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
