cvedb.io
CVE-2021-42740
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2021-10-21T15:15:07.633 · Last modified 2026-06-17T04:10:03.200

Summary

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Affected products

shell-quote_project — shell-quote

Does this affect you?

Add your gear to cvedb and we'll alert you only when shell-quote_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.