Name of the Vulnerable Software and Affected Versions bestzip versions prior to 2.1.7

Description The issue arises from the package's failure to sanitize input rules, which are then passed directly to an exec call on the zip function. This may allow attackers to execute arbitrary code in the system if the destination value is user-controlled. The vulnerability only affects users with a native zip command available. Examples of the issue include executing commands like bestzip test.zip 'sourcefile; mkdir folder' from the CLI or zip({ source: 'sourcefile', destination: './test.zip; mkdir folder' }) programmatically.

Recommendations For versions prior to 2.1.7, update to version 2.1.7 or later to resolve the issue. As a temporary workaround, consider restricting user control over the destination variable to minimize the risk of exploitation. Additionally, avoid using the zip function with user-controlled input until the issue is resolved.