Critical severity9.8NVD Advisory· Published Oct 21, 2021· Updated Jun 17, 2026
CVE-2021-42740
CVE-2021-42740
Description
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shell-quotenpm | >= 1.6.3, < 1.7.3 | 1.7.3 |
Affected products
61- Node.js/shell-quotedescription
- osv-coords60 versionspkg:apk/chainguard/jitsucom-jitsupkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/wolfi/jitsucom-jitsupkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:npm/shell-quotepkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/drools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/grafana-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/httpcomponents-asyncclient&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/image-sync-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/inter-server-sync&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/prometheus-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/py27-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.2pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.3pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/salt-netapi-client&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-proxy&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-proxy-installer&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-search&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/supportutils-plugin-susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-build-keys&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/susemanager-build-keys&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-tftpsync-recv&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/virtual-host-gatherer&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/woodstox&distro=SUSE%20Manager%20Server%20Module%204.2
< 0+ 59 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.6.3, < 1.7.3
- (no CPE)range: < 3.1.2-150300.5.19.1
- (no CPE)range: < 7.17.0-150300.4.6.2
- (no CPE)range: < 0.8.1-150300.3.9.2
- (no CPE)range: < 4.1.4-150300.3.3.2
- (no CPE)range: < 0.1.1661440526.b08d95b-150300.3.3.2
- (no CPE)range: < 0.2.3-150300.8.22.2
- (no CPE)range: < 4.2.10-150300.2.9.4
- (no CPE)range: < 4.2.9-150300.2.12.2
- (no CPE)range: < 4.2.9-150300.2.12.2
- (no CPE)range: < 4.2-150300.4.12.2
- (no CPE)range: < 4.2-150300.4.12.2
- (no CPE)range: < 0.7.0-150300.3.17.2
- (no CPE)range: < 3000.3-150300.7.7.23.2
- (no CPE)range: < 4.2.9-150300.3.54.1
- (no CPE)range: < 4.3.2-150400.3.15.1
- (no CPE)range: < 4.2.9-150300.3.43.1
- (no CPE)range: < 4.3.2-150400.3.9.3
- (no CPE)range: < 4.2.9-150300.3.43.1
- (no CPE)range: < 4.3.2-150400.3.9.3
- (no CPE)range: < 4.2.7-150300.4.12.2
- (no CPE)range: < 4.2.7-150300.4.12.2
- (no CPE)range: < 0.1.1661440526.b08d95b-150300.3.12.2
- (no CPE)range: < 0.20.0-150300.3.9.4
- (no CPE)range: < 1.7.11-0.150300.3.12.2
- (no CPE)range: < 4.2.19-150300.4.27.2
- (no CPE)range: < 4.2.19-150300.4.27.2
- (no CPE)range: < 4.2.12-150300.3.15.3
- (no CPE)range: < 4.2.24-150300.4.29.5
- (no CPE)range: < 4.2.24-150300.4.29.5
- (no CPE)range: < 4.2.18-150300.3.24.3
- (no CPE)range: < 4.2.18-150300.3.24.3
- (no CPE)range: < 4.2.20-150300.4.24.3
- (no CPE)range: < 4.2.20-150300.4.24.3
- (no CPE)range: < 4.2.41-150300.3.43.5
- (no CPE)range: < 4.2.12-150300.3.21.3
- (no CPE)range: < 4.2.11-150300.3.14.2
- (no CPE)range: < 4.2.8-150300.3.12.2
- (no CPE)range: < 4.2.29-150300.3.27.3
- (no CPE)range: < 4.2.29-150300.3.27.3
- (no CPE)range: < 0.29-150300.6.12.2
- (no CPE)range: < 4.2.5-150300.3.9.2
- (no CPE)range: < 15.3.6-150300.3.6.2
- (no CPE)range: < 15.3.6-150300.3.6.2
- (no CPE)range: < 4.2.37-150300.3.41.1
- (no CPE)range: < 4.2-150300.12.33.4
- (no CPE)range: < 4.2-150300.12.33.2
- (no CPE)range: < 4.2.24-150300.3.27.3
- (no CPE)range: < 4.2.27-150300.3.33.4
- (no CPE)range: < 4.2.5-150300.3.6.2
- (no CPE)range: < 4.2.7-150300.3.9.2
- (no CPE)range: < 4.2.7-150300.3.9.2
- (no CPE)range: < 1.0.24-150300.3.9.2
- (no CPE)range: < 4.4.2-150300.3.6.2
Patches
Vulnerability mechanics
References
7- github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abenvdPatchThird Party Advisory
- github.com/advisories/GHSA-g4rg-993r-mgx7ghsaADVISORY
- github.com/substack/node-shell-quote/blob/master/CHANGELOG.mdnvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2021-42740ghsaADVISORY
- www.npmjs.com/package/shell-quotenvdVendor AdvisoryWEB
- github.com/ljharb/shell-quote/blob/master/CHANGELOG.mdghsaWEB
- github.com/ljharb/shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abeghsaWEB
News mentions
0No linked articles in our index yet.