{"vulnerability": "CVE-2021-42740", "sightings": [{"uuid": "99fb772b-ca58-4843-adc8-6e3abf90fc89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42740", "type": "seen", "source": "https://gist.github.com/konard/009400a33f6fb569a958b992389f5d49", "content": "", "creation_timestamp": "2025-12-11T22:14:09.000000Z"}, {"uuid": "8df4626e-bfd3-4211-84be-a6718aa0bea1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42740", "type": "seen", "source": "https://gist.github.com/konard/dd968c3f94817e10464ba8c79d2ef323", "content": "", "creation_timestamp": "2025-12-11T22:10:11.000000Z"}, {"uuid": "a5f571bc-e25c-40e6-8c9d-970e8cf2e4e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42740", "type": "seen", "source": "https://t.me/cibsecurity/30953", "content": "\u203c CVE-2021-42740 \u203c\n\nThe shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-21T18:36:55.000000Z"}]}