CVE-2016-10541 – shell-quote

Package

Manager: npm
Name: shell-quote
Vulnerable Version: >=0 <1.6.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0042 pctl0.61141

Details

Potential Command Injection in shell-quote Affected versions of `shell-quote` do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments. ## Proof of Concept: The following characters are not escaped properly: `>`,`;`,`{`,`}` Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of `{}` and using the `,` instead of ` ` to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible. ``` const quote = require('shell-quote').quote; console.log(quote(['a;{echo,test,123,234}'])); // Actual "a;{echo,test,123,234}" // Expected "a\;\{echo,test,123,234\}" // Functional Equivalent "a; echo 'test' '123' '1234'" ``` ## Recommendation Update to version 1.6.1 or later.

Metadata

Created: 2019-02-18T23:58:29Z
Modified: 2022-11-22T17:49:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qg8p-v9q4-gh34/GHSA-qg8p-v9q4-gh34.json
CWE IDs: ["CWE-78", "CWE-94"]
Alternative ID: GHSA-qg8p-v9q4-gh34
Finding: F004
Auto approve: 1