Improper Input Validation Affecting shlex package, versions <1.3.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-SHLEX-6183715
  • published22 Jan 2024
  • disclosed21 Jan 2024
  • creditUnknown

Introduced: 21 Jan 2024

CVE NOT AVAILABLE CWE-20  (opens in a new tab)

How to fix?

Upgrade shlex to version 1.3.0 or higher.

Overview

shlex is a splitting a string into shell words, like Python's shlex.

Affected versions of this package are vulnerable to Improper Input Validation via the quote and join APIs. An attacker can potentially inject multiple arguments where only one is expected, leading to undesired consequences and potentially arbitrary command execution by passing manipulated output to a shell. Additionally, the handling of nul bytes in strings can result in security-sensitive outcomes in uncommon scenarios when used in Unix command arguments or environment variables. Furthermore, control characters pose a risk when writing directly to the standard input of an interactive shell, as they can cause misbehaviour including arbitrary command injection.

Workaround

This vulnerability can be mitigated by checking for the bytes { and \xa0 in quote/join input or output, and manually checking for nul bytes in quote/join input or output.

CVSS Scores

version 3.1