CVE-2021-3727

Name of the Vulnerable Software and Affected Versions ohmyzsh versions prior to the version that includes commit 72928432

Description The issue concerns command injection through quotes fetched from external APIs by the rand-quote and hitokoto plugins. These plugins process quotes from quotationspage.com and hitokoto.cn, respectively, and then print them using print -P. If the quotes contain specific symbols, they could trigger command injection. Since the quotes come from external APIs, it's not possible to guarantee their safety. The quote function in the rand-quote plugin and the hitokoto function in the hitokoto plugin are impacted.

Recommendations As a temporary workaround, consider disabling the quote function in the rand-quote plugin and the hitokoto function in the hitokoto plugin until a patch is available. Update to a version that includes commit 72928432 to resolve the issue.