CVE-2024-58266
published 2025-07-27CVE-2024-58266: The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.3th percentile
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comex | shlex | < 1.2.1 | 1.2.1 |
| comex | shlex | >= 0 < 1.3.0 | 1.3.0 |
| comex | shlex | >= 0.0.0-0 < 1.3.0 | 1.3.0 |
| debian | rust-shlex | < rust-shlex 1.3.0-1 (forky) | rust-shlex 1.3.0-1 (forky) |
| msrc | azl3_rust_1.75.0-17_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-18_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-20_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-21_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-22_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-24_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-25_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-27_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kata-containers-cc_3.2.0.azl2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kata-containers-cc_3.2.0.azl2-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kata-containers_3.2.0.azl2-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kata-containers_3.2.0.azl2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-11_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-13_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-15_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag use of shlex crate versions before 1.2.1 in Rust projects; the vulnerability allows unquoted/unescaped { and \xa0 characters to facilitate command injection ↗
- →Monitor for command injection attempts exploiting unquoted curly brace ({) or non-breaking space (\xa0 / 0xA0) characters passed through shlex-processed input in Rust applications ↗
- →Exploitation requires a single argument containing { or \xa0 to be interpreted as multiple shell arguments; look for these characters in process argument lists of Rust applications using shlex ↗
- →Exploitation via control characters is only relevant to interactive shells; non-interactive shell invocations are unaffected — scope detection efforts to interactive shell contexts ↗
- ·Only shlex crate versions before 1.2.1 are vulnerable; upgrading to 1.2.1 or later (e.g., Debian fixed in 1.3.0-1) resolves the issue ↗
- ·Null byte exploitation is not viable on Unix systems as null bytes cannot be used in command arguments or environment variables ↗
- ·Red Hat rates this Low severity due to high attack complexity, local scope, and constrained exploitability; many RHEL packages are marked Not Affected ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian3.2LOW
vendor_msrc3.2LOW
vendor_redhat3.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
shlex: Shlex Command Injection Vulnerability
vendor_redhat·2025-07-27·CVSS 3.2
CVE-2024-58266 [LOW] CWE-116 shlex: Shlex Command Injection Vulnerability
shlex: Shlex Command Injection Vulnerability
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
A flaw was found in shlex. The shlex crate improperly handles unquoted and unescaped curly brace and non-breaking space characters, allowing a local attacker to inject arbitrary commands. This injection occurs when processing input that contains these characters without proper quoting or escaping. Successful exploitation results in the execution of attacker-controlled commands. This can lead to arbitrary code execution.
Statement: This CVE was rated as Low severity. It involves three distinct issues: (1) Failure to quote characters, which can cause a single argument to be interpreted as multiple a
Microsoft
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
vendor_msrc·2025-07-08·CVSS 3.2
CVE-2024-58266 [LOW] CWE-116 The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Debian
CVE-2024-58266: rust-shlex - The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of...
vendor_debian·2024·CVSS 3.2
CVE-2024-58266 [LOW] CVE-2024-58266: rust-shlex - The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of...
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1.3.0-1)
sid: resolved (fixed in 1.3.0-1)
trixie: resolved (fixed in 1.3.0-1)
OSV
CVE-2024-58266: The shlex crate before 1
osv·2025-07-27·CVSS 9.8
CVE-2024-58266 [CRITICAL] CVE-2024-58266: The shlex crate before 1
The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.
OSV
Multiple issues involving quote API in shlex
osv·2024-01-22
CVE-2024-58266 [LOW] Multiple issues involving quote API in shlex
Multiple issues involving quote API in shlex
## Issue 1: Failure to quote characters
Affected versions of this crate allowed the bytes `{` and `\xa0` to appear unquoted and unescaped in command arguments.
If the output of `quote` or `join` is passed to a shell, then what should be a single command argument could be interpreted as multiple arguments.
This does not *directly* allow arbitrary command execution (you can't inject a command substitution or similar). But depending on the command you're running, being able to inject multiple arguments where only one is expected could lead to undesired consequences, potentially including arbitrary command execution.
The flaw was corrected in version 1.2.1 by escaping additional characters. Updating to 1.3.0 is recommended, but 1.2.1 offers a m
GHSA
Multiple issues involving quote API in shlex
ghsa·2024-01-22
CVE-2024-58266 [LOW] Multiple issues involving quote API in shlex
Multiple issues involving quote API in shlex
## Issue 1: Failure to quote characters
Affected versions of this crate allowed the bytes `{` and `\xa0` to appear unquoted and unescaped in command arguments.
If the output of `quote` or `join` is passed to a shell, then what should be a single command argument could be interpreted as multiple arguments.
This does not *directly* allow arbitrary command execution (you can't inject a command substitution or similar). But depending on the command you're running, being able to inject multiple arguments where only one is expected could lead to undesired consequences, potentially including arbitrary command execution.
The flaw was corrected in version 1.2.1 by escaping additional characters. Updating to 1.3.0 is recommended, but 1.2.1 offers a m
OSV
Multiple issues involving quote API
osv·2024-01-21
CVE-2024-58266 Multiple issues involving quote API
Multiple issues involving quote API
## Issue 1: Failure to quote characters
Affected versions of this crate allowed the bytes `{` and `\xa0` to appear
unquoted and unescaped in command arguments.
If the output of `quote` or `join` is passed to a shell, then what should be a
single command argument could be interpreted as multiple arguments.
This does not *directly* allow arbitrary command execution (you can't inject a
command substitution or similar). But depending on the command you're running,
being able to inject multiple arguments where only one is expected could lead
to undesired consequences, potentially including arbitrary command execution.
The flaw was corrected in version 1.2.1 by escaping additional characters.
Updating to 1.3.0 is recommended, but 1.2.1 offers a more minim
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-58266 icecat: Shlex Command Injection Vulnerability [fedora-42]
bugzilla·2025-07-28·CVSS 9.8
CVE-2024-58266 [CRITICAL] CVE-2024-58266 icecat: Shlex Command Injection Vulnerability [fedora-42]
CVE-2024-58266 icecat: Shlex Command Injection Vulnerability [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2024-58266 thunderbird: Shlex Command Injection Vulnerability [fedora-42]
bugzilla·2025-07-28·CVSS 9.8
CVE-2024-58266 [CRITICAL] CVE-2024-58266 thunderbird: Shlex Command Injection Vulnerability [fedora-42]
CVE-2024-58266 thunderbird: Shlex Command Injection Vulnerability [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fr
Bugzilla
CVE-2024-58266 mozjs115: Shlex Command Injection Vulnerability [fedora-42]
bugzilla·2025-07-28·CVSS 9.8
CVE-2024-58266 [CRITICAL] CVE-2024-58266 mozjs115: Shlex Command Injection Vulnerability [fedora-42]
CVE-2024-58266 mozjs115: Shlex Command Injection Vulnerability [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
2025-07-27
Published