shell-quote is a package used to quote and parse shell commands.
Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.
Proof of Concept
Consider the following poc.js application
var quote = require('shell-quote').quote;
var exec = require('child_process').exec;
var userInput = process.argv[2];
var safeCommand = quote(['echo', userInput]);
exec(safeCommand, function (err, stdout, stderr) {
console.log(stdout);
});
Running the following command will not only print the character a as expected, but will also run the another command, i.e touch malicious.sh