CVE-2021-42740
Improper Neutralization of Special Elements used in a Command in Shell-quote
Description
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
How to fix CVE-2021-42740
To remediate CVE-2021-42740, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.3+~1.7.1-1 or later
- —upgrade to 1.7.3 or later
Is CVE-2021-42740 being exploited?
Moderate — EPSS is 9.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 1.7.3+~1.7.1-1
- >= 1.6.3, < 1.7.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |