Miggo Logo
Miggo Vulnerability Database
GHSA-286m-6pg9-v42v

GHSA-286m-6pg9-v42v: Duplicate Advisory: Multiple issues involving quote API in shlex

3.2

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-286m-6pg9-v42v
EPSS Score
-
CWE
CWE-116
Published
7/28/2025
Updated
7/28/2025
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
shlexrust< 1.3.01.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the shlex crate because the quote and join functions failed to properly escape special shell characters, specifically { and non-breaking space (\xa0). This could allow an attacker to craft input that, when processed by these functions and executed by a shell, would be interpreted as multiple command-line arguments instead of a single one. This could lead to command injection if the calling application is not careful about how it uses the output.

The analysis of the patch between version 1.2.0 and the minimally patched version 1.2.1 (commit 4c53044f62ba3e0921b6283e8ae37f7039c23643) clearly shows the fix. The patch modifies the shlex::bytes::quote function, which contains the core quoting logic, to recognize {, }, and a range of Unicode characters (including \xa0) as needing to be quoted. The public-facing functions shlex::quote and shlex::join in src/lib.rs both rely on this underlying function, so they were both vulnerable and are now fixed. Any runtime profile of an exploitation attempt would likely show calls to shlex::quote and/or shlex::join, which in turn call shlex::bytes::quote.

Vulnerable functions

shlex::quote
src/lib.rs
This function was vulnerable because it did not properly quote the special characters `{` and `\xa0`. An attacker could provide a string with these unescaped characters, and if the output is passed to a shell, it could be interpreted as multiple arguments instead of a single one, potentially leading to command injection depending on the context of the executed command.
shlex::join
src/lib.rs
This function joins multiple strings into a single command line, quoting arguments as needed by calling `shlex::quote`. Because `quote` was vulnerable to improper quoting of special characters, `join` was also vulnerable. An attacker could provide input that, when joined, would result in a command string where arguments are not correctly separated, leading to potential command injection.
shlex::bytes::quote
src/bytes.rs
This is the underlying implementation for `shlex::quote` that operates on byte slices. The vulnerability existed here because of an incomplete set of characters that were being checked for quoting. The patch fixes this by expanding the set of characters that trigger quoting, thus preventing command argument injection.

WAF Protection Rules

WAF Rule

### *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-r*qv-*r**-p***. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ### Ori*in*l **s*ription T** s*l*x *r*t* ***or* *.*.* *or Rust *llows unquot** *n* un*

Reasoning

T** vuln*r**ility *xists in t** `s*l*x` *r*t* ****us* t** `quot*` *n* `join` *un*tions **il** to prop*rly *s**p* sp**i*l s**ll ***r**t*rs, sp**i*i**lly `{` *n* non-*r**kin* sp*** (`\x**`). T*is *oul* *llow *n *tt**k*r to *r**t input t**t, w**n pro**s