The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec()
, an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is [A-z]
instead of the correct [A-Za-z]
. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
{ "nvd_published_at": "2021-10-21T15:15:00Z", "cwe_ids": [ "CWE-77" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-06-21T20:08:10Z" }