Advisories for Npm/Shell-Quote package

The shell-quote package for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell …

The npm module shell-quote cannot correctly escape > and < operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

The module does not properly escape ">" and "<" operator used for redirection in shell. Application escaping command-line args with this module might be vulnerable from malicious user input.