CVE-2021-42740 – The shell-quote package for Node.js has a comma... (How to Fix)

Q: What is the severity of CVE-2021-42740?

CVE-2021-42740 has a CVSS score of 9.8 (CRITICAL). The shell-quote package for Node.js has a command injection vulnerability due to incorrect regex character class {A-z] instead of {A-Za-z] for Windows drive letters. This allows attackers to inject shell metacharacters when output is passed to exec(), potentially leading to arbitrary command execution. Any Node.js application using shell-quote before version 1.7.3 is affected.

📋 TL;DR

The shell-quote package for Node.js has a command injection vulnerability due to incorrect regex character class {A-z] instead of {A-Za-z] for Windows drive letters. This allows attackers to inject shell metacharacters when output is passed to exec(), potentially leading to arbitrary command execution. Any Node.js application using shell-quote before version 1.7.3 is affected.

💻 Affected Systems

Products:

shell-quote Node.js package

Versions: All versions before 1.7.3

Operating Systems: All operating systems where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default configuration when using shell-quote with exec() or similar shell execution functions.

📦 What is this software?

Shell Quote by Shell Quote Project

View all CVEs affecting Shell Quote →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data exfiltration, and lateral movement within the environment.

🟠

Likely Case

Arbitrary command execution with the privileges of the Node.js process, potentially leading to data theft or service disruption.

🟢

If Mitigated

Limited impact if proper input validation, sandboxing, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user-controlled input to be processed by vulnerable shell-quote and passed to exec(). The vulnerability is well-documented with public proof-of-concept examples.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.3 and later

Vendor Advisory: https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173

Restart Required: Yes

Instructions:

1. Update package.json to require shell-quote version 1.7.3 or higher. 2. Run 'npm update shell-quote' or 'yarn upgrade shell-quote'. 3. Restart all Node.js applications using the package.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject any input containing shell metacharacters before passing to shell-quote.

Use alternative quoting methods

all

Replace shell-quote with alternative safe quoting libraries or built-in Node.js child_process.spawn with proper argument handling.

🧯 If You Can't Patch

Implement strict input validation to reject any characters between ASCII 91-96 (including backtick).
Run Node.js processes with minimal privileges and in isolated containers or sandboxes.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/shell-quote/package.json for version number less than 1.7.3.

Check Version:

npm list shell-quote | grep shell-quote

Verify Fix Applied:

Verify shell-quote version is 1.7.3 or higher in package.json and test with known malicious inputs containing backticks or other metacharacters.

📡 Detection & Monitoring

Log Indicators:

Unexpected shell commands in application logs
Process spawning with unusual arguments
Error messages containing shell metacharacters

Network Indicators:

Unexpected outbound connections from Node.js processes
Data exfiltration patterns

SIEM Query:

process.name:node AND cmdline:*backtick* OR cmdline:*`*

📊 Metadata

CVE ID: CVE-2021-42740

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: October 21, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173 Third Party Advisory
https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe Patch,Third Party Advisory
https://www.npmjs.com/package/shell-quote Vendor Advisory
https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173 Third Party Advisory
https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe Patch,Third Party Advisory
https://www.npmjs.com/package/shell-quote Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42740, you might also want to check these: