CVE-2025-30222: 
JavaScript vulnerability analysis and mitigation

Shescape, a shell escape library for JavaScript, was found to have a vulnerability (CVE-2025-30222) affecting versions 1.7.2 through 2.1.1. The vulnerability was discovered on March 25, 2025, and impacts users of Shescape on Windows systems when specifically configured with shell: 'cmd.exe' or shell: true (GitHub Advisory).

The vulnerability stems from improper escaping of the % character when using CMD on Windows systems. When using any of the functions quote/quoteAll/escape/escapeAll, the library fails to properly escape environment variable references, which could expose sensitive information. The issue has been assigned a CVSS v4.0 score of 2.1 (LOW) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows attackers to potentially gain read-only access to environment variables on affected Windows systems. This could lead to the disclosure of sensitive information stored in environment variables, such as API keys, tokens, or system configuration details (GitHub Advisory).

The vulnerability has been patched in version 2.1.2. Users of Shescape v2 can upgrade directly to this version. Users of v1 are advised to follow the migration guide to upgrade to v2, as no patch will be released for v1. As a temporary workaround, users can remove all instances of % from user input before using Shescape (GitHub Advisory).