cbcvebase.
CVE-2024-58266
published 2025-07-27

CVE-2024-58266: The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.3th percentile
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

Affected

22 ranges
VendorProductVersion rangeFixed in
comexshlex< 1.2.11.2.1
comexshlex>= 0 < 1.3.01.3.0
comexshlex>= 0.0.0-0 < 1.3.01.3.0
debianrust-shlex< rust-shlex 1.3.0-1 (forky)rust-shlex 1.3.0-1 (forky)
msrcazl3_rust_1.75.0-17_on_azure_linux_3.0
msrcazl3_rust_1.75.0-18_on_azure_linux_3.0
msrcazl3_rust_1.75.0-20_on_azure_linux_3.0
msrcazl3_rust_1.75.0-21_on_azure_linux_3.0
msrcazl3_rust_1.75.0-22_on_azure_linux_3.0
msrcazl3_rust_1.75.0-24_on_azure_linux_3.0
msrcazl3_rust_1.75.0-25_on_azure_linux_3.0
msrcazl3_rust_1.75.0-27_on_azure_linux_3.0
msrcazl3_rust_1.86.0-3_on_azure_linux_3.0
msrccbl2_kata-containers-cc_3.2.0.azl2-7_on_cbl_mariner_2.0
msrccbl2_kata-containers-cc_3.2.0.azl2-8_on_cbl_mariner_2.0
msrccbl2_kata-containers_3.2.0.azl2-6_on_cbl_mariner_2.0
msrccbl2_kata-containers_3.2.0.azl2-7_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-10_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-11_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-13_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-14_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-15_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Flag use of shlex crate versions before 1.2.1 in Rust projects; the vulnerability allows unquoted/unescaped { and \xa0 characters to facilitate command injection
  • Monitor for command injection attempts exploiting unquoted curly brace ({) or non-breaking space (\xa0 / 0xA0) characters passed through shlex-processed input in Rust applications
  • Exploitation requires a single argument containing { or \xa0 to be interpreted as multiple shell arguments; look for these characters in process argument lists of Rust applications using shlex
  • Exploitation via control characters is only relevant to interactive shells; non-interactive shell invocations are unaffected — scope detection efforts to interactive shell contexts
  • ·Only shlex crate versions before 1.2.1 are vulnerable; upgrading to 1.2.1 or later (e.g., Debian fixed in 1.3.0-1) resolves the issue
  • ·Null byte exploitation is not viable on Unix systems as null bytes cannot be used in command arguments or environment variables
  • ·Red Hat rates this Low severity due to high attack complexity, local scope, and constrained exploitability; many RHEL packages are marked Not Affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian3.2LOW
vendor_msrc3.2LOW
vendor_redhat3.2LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.