Login Sign Up

CVE-2021-3725

7.5 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-3725 is a command injection vulnerability in the dirhistory plugin for Oh My Zsh. It allows attackers to execute arbitrary commands by tricking users into navigating to directories with malicious names and using Alt-Left/Right keyboard shortcuts. This affects users of Oh My Zsh with the dirhistory plugin enabled.

💻 Affected Systems

Products:
  • Oh My Zsh
Versions: All versions before commit 06fc5fb (September 2021)
Operating Systems: Linux, macOS, Unix-like systems
Default Config Vulnerable: ✅ No
Notes: Only affects users who have enabled the dirhistory plugin. The plugin is not enabled by default in Oh My Zsh.

📦 What is this software?

Oh My Zsh by Planetargon

View all CVEs affecting Oh My Zsh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary command execution as the current user, potentially leading to privilege escalation, data theft, or complete system takeover.

🟠

Likely Case

Local privilege escalation or arbitrary code execution within the user's context, allowing attackers to access sensitive files, install malware, or pivot to other systems.

🟢

If Mitigated

Limited impact if users don't use the dirhistory plugin or have restricted directory permissions, though the vulnerability still exists in the code.

🌐 Internet-Facing: LOW - This requires local access or social engineering to create malicious directories and user interaction with keyboard shortcuts.
🏢 Internal Only: MEDIUM - Internal attackers with access to create directories could exploit this against other users on shared systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires: 1) User with dirhistory plugin enabled, 2) Ability to create directories with malicious names, 3) User pressing Alt-Left/Right after navigating to malicious directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 06fc5fb and later

Vendor Advisory: https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb

Restart Required: No

Instructions:

1. Update Oh My Zsh: 'omz update' 2. Or manually apply commit 06fc5fb 3. Restart terminal session

🔧 Temporary Workarounds

Disable dirhistory plugin

all

Remove dirhistory from your Oh My Zsh plugins list

Edit ~/.zshrc and remove 'dirhistory' from plugins array

Avoid untrusted directories

all

Do not navigate to directories with suspicious names

🧯 If You Can't Patch

  • Disable the dirhistory plugin immediately
  • Implement strict directory permissions to prevent users from creating directories with special characters

🔍 How to Verify

Check if Vulnerable:

Check if dirhistory plugin is enabled in ~/.zshrc and Oh My Zsh version is pre-commit 06fc5fb

Check Version:

cd ~/.oh-my-zsh && git log --oneline -1 | grep 06fc5fb

Verify Fix Applied:

Verify Oh My Zsh is updated to commit 06fc5fb or later: 'cd ~/.oh-my-zsh && git log --oneline -1'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution from zsh sessions
  • Directory navigation patterns with special characters

Network Indicators:

  • Outbound connections from zsh processes following directory navigation

SIEM Query:

process.name:zsh AND command_line:*eval* AND command_line:*directory*

📊 Metadata

CVE ID: CVE-2021-3725
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: November 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3725, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)