Command Injection Affecting shell-quote package, versions <1.6.1



    Exploit Maturity Proof of concept
    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:shell-quote:20160621
  • published 21 Jun 2016
  • disclosed 21 Jun 2016
  • credit Koki Takahashi, Node Security Team

How to fix?

Upgrade shell-quote to version 1.6.1 or higher.


shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.

Proof of Concept

Consider the following poc.js application

var quote = require('shell-quote').quote;
var exec = require('child_process').exec;

var userInput = process.argv[2];

var safeCommand = quote(['echo', userInput]);

exec(safeCommand, function (err, stdout, stderr) { console.log(stdout); });

Running the following command will not only print the character a as expected, but will also run the another command, i.e touch

$ node poc.js 'a;{touch,}'