CVE-2021-45444 Overview
CVE-2021-45444 is a code execution vulnerability affecting Zsh (Z Shell) versions prior to 5.8.1. The vulnerability exists in the shell's prompt handling mechanism, where an attacker who controls command output displayed within the prompt can achieve arbitrary code execution. This occurs due to recursive PROMPT_SUBST expansion, which processes escape sequences like %F arguments in an unsafe manner.
The Z Shell is a popular Unix shell used as an interactive login shell and command interpreter, notably serving as the default shell on macOS since Catalina. This widespread deployment significantly expands the potential impact of this vulnerability across enterprise and consumer environments.
Critical Impact
Attackers controlling command output in Zsh prompts can achieve arbitrary code execution through recursive PROMPT_SUBST expansion, affecting millions of macOS and Linux systems.
Affected Products
- Zsh versions before 5.8.1
- Apple macOS (multiple versions including Catalina 10.15.7 and later releases)
- Apple Mac OS X 10.15.7 with various security updates
- Fedora 34 and 35
- Debian Linux 9.0, 10.0, and 11.0
Discovery Timeline
- 2022-02-14 - CVE-2021-45444 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-45444
Vulnerability Analysis
This vulnerability stems from unsafe handling of prompt expansion in Zsh when the PROMPT_SUBST option is enabled. The PROMPT_SUBST feature allows parameter expansion, command substitution, and arithmetic expansion within shell prompts. However, when command output containing specially crafted escape sequences (such as %F arguments) is incorporated into the prompt, Zsh recursively expands these sequences without proper sanitization.
The recursive nature of this expansion creates a dangerous situation where attacker-controlled data can be interpreted as shell commands. This is particularly concerning because many Zsh configurations include command output in prompts—for example, displaying Git branch information, current directory status, or other dynamic content.
The vulnerability requires local access and user interaction, as the attacker must have some control over content that appears in the user's prompt. Common attack scenarios include manipulating Git repository names, file names, or other sources of data that users commonly display in their shell prompts.
Root Cause
The root cause is the recursive expansion behavior of PROMPT_SUBST in Zsh. When processing prompt strings, Zsh performs multiple rounds of expansion without adequate bounds checking or sanitization of embedded escape sequences. The %F argument (used for foreground color specification) and similar prompt escapes can trigger unintended code execution when they appear in command output that gets substituted into the prompt.
This represents a classic case of insufficient input validation where user-controlled or externally-sourced data is processed as code rather than data.
Attack Vector
The attack vector is local, requiring the attacker to influence content that appears in the victim's shell prompt. Practical exploitation scenarios include:
The attacker crafts a malicious repository name, directory name, or other content that will be displayed in the victim's prompt through command substitution. When the victim navigates to or interacts with this content, the malicious escape sequences are processed by Zsh's recursive PROMPT_SUBST expansion, leading to code execution in the context of the user's shell session.
For example, if a user's prompt configuration includes Git branch information via $(git branch) or similar command substitution, an attacker who creates a repository with a specially crafted branch name containing malicious %F sequences could trigger code execution when the user enters that repository.
The vulnerability mechanism exploits the recursive expansion behavior in Zsh's prompt processing. When PROMPT_SUBST is enabled, sequences containing format specifiers like %F undergo multiple expansion passes, allowing carefully crafted payloads to break out of the intended color specification context and execute arbitrary commands. For detailed technical analysis, refer to the Ryotak Advisory #63.
Detection Methods for CVE-2021-45444
Indicators of Compromise
- Unusual Zsh prompt configurations containing unexpected %F or other format specifiers from external sources
- Suspicious directory or file names containing Zsh escape sequences in repositories or file systems
- Unexpected command execution or process spawning correlated with shell prompt rendering
- Anomalous behavior when navigating to directories with unusual naming patterns
Detection Strategies
- Monitor for Zsh processes executing unexpected child commands during prompt rendering cycles
- Audit .zshrc, .zshenv, and other Zsh configuration files for prompt definitions that include unsanitized external command output
- Implement file integrity monitoring on Zsh configuration directories
- Deploy endpoint detection rules for suspicious Zsh behavior patterns involving escape sequence processing
Monitoring Recommendations
- Enable command logging and audit trails for shell sessions to detect anomalous execution patterns
- Monitor system calls from Zsh processes for unexpected execve or similar calls during interactive sessions
- Implement behavioral analysis to detect code execution triggered by directory navigation or prompt updates
- Review Git repositories and file systems for content containing potential exploit payloads
How to Mitigate CVE-2021-45444
Immediate Actions Required
- Upgrade Zsh to version 5.8.1 or later immediately across all affected systems
- Audit existing Zsh configurations for prompt definitions that incorporate external command output
- Review and sanitize any custom prompt configurations that use PROMPT_SUBST with dynamic content
- Apply vendor-specific patches for macOS, Debian, and Fedora systems as detailed in their respective security advisories
Patch Information
The vulnerability is addressed in Zsh version 5.8.1 and later. Multiple vendors have released patches addressing this vulnerability:
- Zsh Project: Fixed in version 5.8.1 - see Zsh Release Notes
- Apple: Addressed in macOS security updates - see Apple Support Article HT213255, HT213256, and HT213257
- Debian: Security updates available via Debian Security Advisory DSA-5078 and Debian LTS Announcement
- Fedora: Updates available for Fedora 34 and 35 via Fedora Package Announcements
Workarounds
- Disable the PROMPT_SUBST option in Zsh configurations if not required: add setopt NO_PROMPT_SUBST to .zshrc
- Sanitize all external command output before including it in prompt definitions
- Avoid using dynamic command substitution in prompts when sourcing from untrusted content
- Use static prompt configurations without embedded command execution until patching is complete
# Disable PROMPT_SUBST as a temporary workaround
# Add to ~/.zshrc or /etc/zsh/zshrc
setopt NO_PROMPT_SUBST
# Or explicitly sanitize prompt variables
# Replace dynamic content with static alternatives
PS1='%n@%m:%~$ '
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
