CVE-2023-35931: 
JavaScript vulnerability analysis and mitigation

CVE-2023-35931 affects Shescape, a shell escape library for JavaScript, in versions prior to 1.7.1. The vulnerability was discovered and disclosed in June 2023, allowing attackers to potentially gain read-only access to environment variables on Windows systems when using Windows Command Prompt (cmd.exe) with specific library functions (GitHub Advisory).

The vulnerability occurs when using quote/quoteAll or escape/escapeAll functions with the interpolation option set to true on Windows Command Prompt. The issue stems from improper handling of the '%' character in command strings, which could be exploited to read environment variables. The vulnerability has a CVSS v3.1 base score of 4.3 (MEDIUM) according to NVD, with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

An attacker can potentially gain read-only access to environment variables on affected systems. For example, using the payload '%PATH%' in affected functions could expose the contents of the PATH environment variable (GitHub Advisory).

The vulnerability has been patched in version 1.7.1 of Shescape. Users should upgrade to this version or later. As a workaround, users can remove all instances of '%' from user input, either before or after using Shescape (GitHub Advisory).