CVE-2021-42740 Overview
CVE-2021-42740 is a command injection vulnerability affecting the shell-quote package for Node.js before version 1.7.3. The vulnerability exists due to an incorrect regular expression used to support Windows drive letters, which fails to properly escape shell metacharacters. When the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands and gain control over the affected system.
Critical Impact
Remote attackers can inject arbitrary shell commands through the vulnerable regex pattern, potentially leading to complete system compromise, data exfiltration, and unauthorized access to sensitive resources.
Affected Products
- shell-quote for Node.js versions prior to 1.7.3
- Applications using shell-quote to process user-controlled input
- Node.js applications that pass shell-quote output to exec() or similar shell execution functions
Discovery Timeline
- 2021-10-21 - CVE-2021-42740 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-42740
Vulnerability Analysis
The vulnerability stems from an incorrectly defined character class in the regular expression used to detect Windows drive letters. The regex uses the character class {A-z] instead of the correct {A-Za-z]. In ASCII, there are six characters between uppercase 'Z' (ASCII 90) and lowercase 'a' (ASCII 97): [, \, ], ^, _, and the backtick character (`). This oversight allows these special characters to pass through the regex unescaped.
Among these characters, the backtick is particularly dangerous as it is used for command substitution in Unix-like shells. When user-controlled input containing backticks passes through the vulnerable shell-quote function and is subsequently executed via shell commands, the content within the backticks is executed as a separate command, enabling arbitrary command injection.
Root Cause
The root cause is an improper input validation error (CWE-77: Command Injection) where the Windows drive letter detection regex fails to properly sanitize input. The character class {A-z] in the regex inadvertently includes shell metacharacters that exist in the ASCII range between 'Z' (0x5A) and 'a' (0x61). This allows attackers to bypass the intended escaping mechanism and inject shell commands.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Providing malicious input containing backticks or other unescaped metacharacters (such as `malicious_command`)
- The vulnerable shell-quote package processes this input without proper escaping
- When the application passes the output to a shell execution function like exec(), the injected command executes with the privileges of the Node.js process
The vulnerability is particularly dangerous in applications that accept user input and construct shell commands dynamically, such as build tools, automation scripts, and web applications that interact with the system shell.
Detection Methods for CVE-2021-42740
Indicators of Compromise
- Unexpected process spawning from Node.js applications, particularly processes not typically associated with the application's normal operation
- Command execution logs showing unusual characters like backticks in arguments
- Network connections initiated from Node.js processes to unexpected destinations
- Anomalous file system activity or permission changes correlated with Node.js process execution
Detection Strategies
- Audit package.json and package-lock.json files for shell-quote versions below 1.7.3
- Use npm audit or similar dependency scanning tools to identify vulnerable packages
- Implement runtime monitoring to detect unexpected shell command execution from Node.js processes
- Deploy application-level logging to capture input patterns containing shell metacharacters
Monitoring Recommendations
- Monitor for process creation events where the parent process is Node.js and child processes include shells (/bin/sh, /bin/bash, cmd.exe)
- Implement alerts for input patterns containing backticks, especially in web-facing applications
- Use SentinelOne Singularity to monitor behavioral anomalies in Node.js application processes
- Review application logs for error messages related to shell command execution failures
How to Mitigate CVE-2021-42740
Immediate Actions Required
- Upgrade the shell-quote package to version 1.7.3 or later immediately
- Audit all applications using shell-quote to identify affected deployments
- Implement input validation to reject or sanitize user input containing shell metacharacters before processing
- Consider using alternative methods to execute commands that do not rely on shell interpretation, such as child_process.spawn() with the shell: false option
Patch Information
The vulnerability was fixed in shell-quote version 1.7.3. The patch corrects the Windows drive letter regex from {A-z] to {A-Za-z], ensuring that shell metacharacters in the ASCII range between 'Z' and 'a' are properly escaped. The fix can be reviewed in the GitHub commit and the changelog entry. The updated package is available on the npm registry.
Workarounds
- If immediate upgrade is not possible, implement strict input validation to reject any input containing characters in the ASCII range 91-96 (including backticks)
- Use child_process.spawn() or child_process.execFile() with explicit arguments array instead of shell string interpolation
- Deploy a Web Application Firewall (WAF) rule to filter requests containing shell metacharacters targeting vulnerable endpoints
- Isolate affected applications in sandboxed environments to limit the impact of potential exploitation
# Upgrade shell-quote to patched version
npm update shell-quote
# Or install specific patched version
npm install shell-quote@1.7.3
# Verify installed version
npm list shell-quote
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
