docs.hackerone.com icon indicating copy to clipboard operation
docs.hackerone.com copied to clipboard
verified publisher icon Hacker0x01

Improper Neutralization of Special Elements used in a Command in Shell-quote

Open imhunterand opened this issue 3 years ago • 0 comments

The latest possible version that can be installed is 1.7.2 because of the following conflicting dependencies:

@fec/[email protected] requires [email protected] via a transitive dependency on [email protected]
[email protected] requires [email protected] via a transitive dependency on [email protected]

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

CVE-2021-42740

imhunterand avatar Jul 30 '22 19:07 imhunterand