Shell Injection during Production

Shell injection occurs when an attacker-controlled string changes the structure of a command passed to a shell or causes a child process to execute an unintended command or with unintended arguments. Typically, this is because code or a dependency invokes child_process with an argument partially composed from untrusted inputs.

Shell injection may also occur during development and deployment. For example, npm and Bower {pre-,,post-}install hooks may be subject to shell injection via filenames that contain shell meta-characters in malicious transitive dependencies but we classify this as an MTP vulnerability.