CVE-2016-10541
CRITICAL9.8EPSS 0.40%Potential Command Injection in shell-quote
Description
Affected versions of `shell-quote` do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments. ## Proof of Concept: The following characters are not escaped properly: `>`,`;`,`{`,`}` Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of `{}` and using the `,` instead of ` ` to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible. ``` const quote = require('shell-quote').quote; console.log(quote(['a;{echo,test,123,234}'])); // Actual "a;{echo,test,123,234}" // Expected "a\;\{echo,test,123,234\}" // Functional Equivalent "a; echo 'test' '123' '1234'" ``` ## Recommendation Update to version 1.6.1 or later.
Affected packages (1)
- npm/shell-quotefrom 0, < 1.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |