CVE-2024-58266

Vulnerability

The shlex crate for Rust, versions prior to 1.2.1, fails to properly quote or escape the { (curly brace) and \xa0 (non-breaking space) bytes when producing shell command arguments via the quote or join APIs [1][2]. These characters can appear unquoted and unescaped in the output, which may be misinterpreted by a shell [3]. Specifically, { is significant for glob expansion, and \xa0 is treated as a word separator in certain environments [3].

Exploitation

If an application uses shlex::quote or shlex::join to construct a command string that is subsequently passed to a shell (e.g., via sh -c or similar), an attacker who controls part of the input may inject these unquoted characters. This does not directly allow arbitrary command injection, but it can cause a single intended argument to be split into multiple arguments [3]. Depending on the command being run, this argument splitting may lead to undesired behavior and, in some cases, could enable arbitrary command execution [3].

Impact

A successful exploit could allow an attacker to alter the interpretation of a command, potentially leading to execution of unintended commands or malicious operations [2][3]. The vulnerability is classified as a code execution and file disclosure risk by the RustSec advisory [2].

Mitigation

The flaw is addressed starting in version 1.2.1, which adds escaping for the { and \xa0 bytes [3]. The maintainers recommend updating to version 1.3.0, which also deprecates the original quote and join APIs in favor of try_quote and try_join, which return an error on null bytes [2][3]. A workaround is to manually check for these characters in input or output strings [2][3].