CVE-2022-31180: 
JavaScript vulnerability analysis and mitigation

CVE-2022-31180 affects Shescape, a shell escape package for JavaScript, in versions >=1.4.0 and < 1.5.8. The vulnerability was discovered and disclosed in July 2022, involving insufficient escaping of whitespace characters when using the escape or escapeAll functions with the interpolation option set to true (GitHub Advisory).

The vulnerability allows attackers to exploit shell-specific behavior through special characters inserted after whitespace or line terminating characters. The issue affects multiple shells including Bash, Dash, Zsh, and PowerShell. When using the escape or escapeAll functions with {interpolation: true}, the package fails to properly escape certain characters following whitespace, potentially allowing command injection (GitHub Advisory).

If an attacker can include whitespace in their input, they can: invoke shell-specific behavior through special characters inserted directly after whitespace in Bash, Dash, Zsh, and PowerShell; invoke shell-specific behavior through special characters inserted after line terminating characters in Bash; invoke arbitrary commands by inserting a line feed character in Bash, Dash, Zsh, and PowerShell; or invoke arbitrary commands by inserting a carriage return character in PowerShell (GitHub Advisory).

The vulnerability was patched in two releases: v1.5.7 fixed the whitespace-related issues, and v1.5.8 addressed line feed and carriage return character escaping. As a workaround, users can avoid using the interpolation:true option or strip all whitespace from user input, though the latter approach is error-prone due to shell-specific whitespace definitions (GitHub Release, GitHub Release).