GHSA-286m-6pg9-v42v: Duplicate Advisory: Multiple issues involving quote API in shlex

July 28, 2025

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r7qv-8r2h-pg27. This link is maintained to preserve external references.

Original Description

The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

References

crates.io/crates/shlex
github.com/advisories/GHSA-286m-6pg9-v42v
github.com/comex/rust-shlex
github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
nvd.nist.gov/vuln/detail/CVE-2024-58266
rustsec.org/advisories/RUSTSEC-2024-0006.html

Code Behaviors & Features

Detect and mitigate GHSA-286m-6pg9-v42v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →