Vulnerability	Vulnerable Version
H Remote Code Execution (RCE) shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Remote Code Execution (RCE). An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is `{A-z]` instead of the correct `{A-Za-z]`. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character. How to fix Remote Code Execution (RCE)? Upgrade `shell-quote` to version 1.7.3 or higher.	<1.7.3
H Command Injection shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Command Injection. The `quote` function does not properly escape the following special characters `<`, `>`, `;`, `{`, `}` , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information. How to fix Command Injection? Upgrade `shell-quote` to version 1.6.1 or higher.	<1.6.1

Remote Code Execution (RCE)

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

How to fix Remote Code Execution (RCE)?

Upgrade shell-quote to version 1.7.3 or higher.

<1.7.3

Command Injection

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.

How to fix Command Injection?

Upgrade shell-quote to version 1.6.1 or higher.

<1.6.1

Go back to all versions of this package