CVE-2021-42740

Name of the Vulnerable Software and Affected Versions shell-quote versions prior to 1.7.3

Description The issue allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is [A-z] instead of the correct [A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Recommendations For versions prior to 1.7.3, update to version 1.7.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the exec() function with output from the shell-quote package until a patch is available. Avoid passing unvalidated input to the exec() function to minimize the risk of exploitation.