shelljs is a wrapper for the Unix shell commands for Node.js.
Affected versions of this package are vulnerable to Improper Privilege Management. When ShellJS is used to create shell scripts which may be running as root, users with low-level privileges on the system can leak sensitive information such as passwords (depending on implementation) from the standard output of the privileged process OR shutdown privileged ShellJS processes via the exec function when triggering EACCESS errors.
Note: Thi only impacts the synchronous version of shell.exec().
Detailed paths
Overview
shelljs is a wrapper for the Unix shell commands for Node.js.
Affected versions of this package are vulnerable to Improper Privilege Management. When
ShellJS
is used to create shell scripts which may be running asroot
, users with low-level privileges on the system can leak sensitive information such as passwords (depending on implementation) from the standard output of the privileged process OR shutdown privilegedShellJS
processes via theexec
function when triggering EACCESS errors.Note: Thi only impacts the synchronous version of
shell.exec()
.Remediation
Upgrade
shelljs
to version 0.8.5 or higher.References
SNYK-JS-SHELLJS-2332187
(CVE-2022-0144) shelljs@0.3.0