CVE-2016-10541
Description
shell-quote 1.6.0 and earlier fails to escape '<', '>', '{', '}', and ';' characters, enabling command injection via shell metacharacters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
shell-quote 1.6.0 and earlier fails to escape '<', '>', '{', '}', and ';' characters, enabling command injection via shell metacharacters.
Vulnerability
The npm module shell-quote version 1.6.0 and earlier does not correctly escape the < and > operators used for shell redirection, as well as {, }, and ; characters. This allows an attacker to inject arbitrary shell commands when user-supplied input is passed through the quote() function and executed by the shell. All versions prior to 1.6.1 are affected [1][2].
Exploitation
An attacker does not require authentication or special network position; exploitation occurs when an application uses shell-quote to sanitize user input that is subsequently passed to a shell command. The attacker provides a payload such as a;{echo,test,123,234}, which shell-quote fails to escape properly. The shell interprets the unescaped { and } as brace expansion and the ; as a command separator, executing the injected command [2].
Impact
Successful exploitation results in arbitrary command injection with the privileges of the process running the shell. This can lead to full system compromise, data exfiltration, or further lateral movement, depending on the application context [1][2].
Mitigation
Users should update to version 1.6.1 or later, which includes proper escaping for the vulnerable characters. No known workaround exists other than upgrading. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shell-quotenpm | < 1.6.1 | 1.6.1 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/jitsucom-jitsupkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/wolfi/jitsucom-jitsupkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:npm/shell-quote
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.6.1
- HackerOne/shell-quote node modulev5Range: <=1.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The shell-quote library fails to escape the shell metacharacters `>`, `;`, `{`, and `}` in user-supplied arguments, enabling command injection via Bash brace expansion."
Attack vector
An attacker supplies a string containing shell metacharacters (such as `;`, `{`, `}`) as an argument to an application that uses `shell-quote`'s `quote` function to escape user input for shell commands. Because the library does not escape these characters, the attacker can inject arbitrary shell commands. For example, the input `a;{echo,test,123,234}` is output unescaped, and Bash interprets the brace expansion `{echo,test,123,234}` as a sub-command execution, achieving full command injection [CWE-78] [CWE-94] [ref_id=1].
Affected code
The vulnerability exists in the `quote` function of the npm `shell-quote` module (versions 1.6.0 and earlier). The function fails to properly escape the characters `>`, `;`, `{`, and `}` when constructing shell command strings from user-supplied arguments [ref_id=1].
What the fix does
The advisory recommends updating to shell-quote version 1.6.1 or later [ref_id=1]. No patch diff is included in the bundle, but the fix adds proper escaping for the characters `>`, `;`, `{`, and `}` so that they are treated as literal text rather than shell operators. This closes the command injection vector by preventing Bash from interpreting brace expansion or other shell metacharacters in user-supplied arguments.
Preconditions
- configThe application must use the shell-quote library (version 1.6.0 or earlier) to escape user-supplied input for shell commands.
- inputThe attacker must be able to supply arbitrary string input that is passed to the quote() function.
- configThe shell executing the command must be Bash (or another shell that supports brace expansion).
Reproduction
```javascript const quote = require('shell-quote').quote; console.log(quote(['a;{echo,test,123,234}'])); // Actual: "a;{echo,test,123,234}" // Expected: "a\;\{echo,test,123,234\}" ``` The output is not escaped, allowing shell injection via Bash brace expansion [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qg8p-v9q4-gh34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10541ghsaADVISORY
- www.npmjs.com/advisories/117ghsaWEB
- nodesecurity.io/advisories/117mitre
News mentions
0No linked articles in our index yet.