Command Injection Affecting shell-quote package, versions <1.6.1

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Confidentiality


  • Integrity


  • Availability


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    21 Jun 2016

  • disclosed

    21 Jun 2016

  • credit

    Koki Takahashi, Node Security Team

How to fix?

Upgrade shell-quote to version 1.6.1 or higher.


shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.

Proof of Concept

Consider the following poc.js application

var quote = require('shell-quote').quote;
var exec = require('child_process').exec;

var userInput = process.argv[2];

var safeCommand = quote(['echo', userInput]);

exec(safeCommand, function (err, stdout, stderr) { console.log(stdout); });

Running the following command will not only print the character a as expected, but will also run the another command, i.e touch

$ node poc.js 'a;{touch,}'