The npm module “shell-quote” 1.6.0 and earlier cannot correctly escape “>” and “<” operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.
[
{
"vendor": "HackerOne",
"product": "shell-quote node module",
"versions": [
{
"version": "<=1.6.0",
"status": "affected"
}
]
}
]