9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-42740

GHSA ID

GHSA-g4rg-993r-mgx7

EPSS Score

0.91368%

CWE

CWE-77

Published

5/24/2022

Updated

2/2/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-42740

CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is [A-z] instead of the correct [A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-42740

GHSA ID

GHSA-g4rg-993r-mgx7

EPSS Score

0.91368%

CWE

CWE-77

Published

5/24/2022

Updated

2/2/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shell-quote	npm	<= 1.7.2	1.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the regex pattern in the quote function located in index.js. The commit diff shows the critical fix was changing [A-z] to [A-Za-z] in the drive letter regex. This incorrect character class allowed injection via characters like backticks. The function's purpose (shell argument quoting) and the added test case explicitly testing this scenario confirm its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s**ll-quot* p**k*** ***or* *.*.* *or No**.js *llows *omm*n* inj**tion. *n *tt**k*r **n inj**t un*s**p** s**ll m*t****r**t*rs t*rou** * r***x **si*n** to support Win*ows *riv* l*tt*rs. I* t** output o* t*is p**k*** is p*ss** to * r**l s**ll *s * q

Reasoning

T** vuln*r**ility st*ms *rom t** r***x p*tt*rn in t** `quot*` *un*tion lo**t** in `in**x.js`. T** *ommit *i** s*ows t** *riti**l *ix w*s ***n*in* [*-z] to [*-Z*-z] in t** *riv* l*tt*r r***x. T*is in*orr**t ***r**t*r *l*ss *llow** inj**tion vi* ***r**

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI