CVE-2021-42740
Command Injection vulnerability in shell-quote (npm)
What is CVE-2021-42740 About?
The shell-quote package for Node.js is vulnerable to command injection due to an insecure regex used for parsing shell metacharacters. This allows an attacker to inject arbitrary commands if the package's output is passed to a shell's `exec()` function. This vulnerability is exploitable by crafting malicious input that bypasses the intended sanitization.
Affected Software
Technical Details
The vulnerability in the shell-quote package arises from an incorrect regex used to handle Windows drive letters. Specifically, the regex uses [A-z] instead of [A-Za-z]. This character class range inadvertently includes several shell metacharacters, such as the backtick (`) and others, located between the ASCII values for 'Z' and 'a'. When the output of this package, containing such unescaped metacharacters, is subsequently passed as a quoted argument to a shell command executed via exec(), these metacharacters are interpreted by the shell, leading to arbitrary command injection. Attackers can embed these special characters in their input to execute commands on the host system.
What is the Impact of CVE-2021-42740?
Successful exploitation may allow attackers to execute arbitrary commands on the host system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2021-42740?
Exploitation requires a crafted input string that contains specific unescaped shell metacharacters, making the complexity moderate. No specific authentication or privilege beyond interacting with the vulnerable application's input processing is required. Access is typically remote, as an attacker would submit the malicious input through an application interface. The key prerequisite is that the application uses the vulnerable shell-quote package and passes its output to a shell exec() function. Risk factors increase if the application processes untrusted user input using the affected package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-42740?
About the Fix from Resolved Security
The patch fixes a regular expression so that it correctly matches both uppercase and lowercase drive letters on Windows file paths by changing [A-z] to [A-Za-z]. This resolves CVE-2021-42740 by preventing special characters in certain paths from going unescaped, blocking command injection or unintended shell execution that could occur due to incomplete input sanitization.
Available Upgrade Options
- shell-quote
- >1.6.3, <1.7.3 → Upgrade to 1.7.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ljharb/shell-quote/blob/master/CHANGELOG.md#173
- https://github.com/ljharb/shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
- https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
- https://www.npmjs.com/package/shell-quote
- https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173
- https://github.com/ljharb/shell-quote
- https://nvd.nist.gov/vuln/detail/CVE-2021-42740
- https://www.npmjs.com/package/shell-quote
- https://osv.dev/vulnerability/GHSA-g4rg-993r-mgx7
What are Similar Vulnerabilities to CVE-2021-42740?
Similar Vulnerabilities: CVE-2014-6302 , CVE-2016-10702 , CVE-2017-1000257 , CVE-2018-1000538 , CVE-2020-15161
