Potential Command Injection

Module: shell-quote

Published: June 21st, 2016

Reported by: Koki Takahashi, Node Security Team


Vulnerable: <=1.6.0
Patched: >=1.6.1


The npm module "shell-quote" cannot correctly escape ">" and "<" operator used for redirection in shell. I'm wondering if this might be possible vulnerability for many application which depends on shell-quote.

For example:

const quote = require('shell-quote').quote; console.log(quote(['foo>bar']));

will print "foo>bar", where "foo>bar" is desirable.

This module is downloaded more than 1M times per month and many other modules are depending on this. If an application is escaping command-line args with this module, they might be vulnerable from malicious user input.

For example:

var sq = require('../tests/get/shell-quote-1.6.0');
var exec = require('child_process').exec;

var pattern = process.argv[2];

command = sq.quote(['grep', pattern]));
exec('cat file | ' + command, function ( err, stdout, stderr) {
    console.log(command, stdout);   

will be vulnerable when user input something like pattern = ':</etc/passwd', which causes the content of /etc/passwd to be leaked.

Internally, (Jon Lamendola, Nick Starke, Jacob Waddell) found that the ;, {, and } characters weren't escaped properly either. This allows for full command injection. A malicious user could input 'a;{echo,test,123,234}' to execute echo fully.


Upgrade to at least version 1.6.1

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo