CVE-2016-10541

Name of the Vulnerable Software and Affected Versions shell-quote versions 1.6.0 and earlier

Description The issue affects the npm module "shell-quote" and allows for code injection due to incorrect escaping of certain characters, including >, <, ;, {, and }. This can lead to command injection if the library is used to escape user input destined for use as command line arguments. A malicious user could exploit this to perform unauthorized actions. Bash Brace Expansion can be used to execute sub-commands without spaces, making full command injection possible.

Recommendations Update to version 1.6.1 or later. As a temporary workaround, consider avoiding the use of the shell-quote library for escaping user input destined for use as command line arguments until the update is applied. Restrict access to sensitive areas of the application that may be vulnerable to command injection until the issue is resolved.