CVE-2024-58266: 
Rust vulnerability analysis and mitigation

The shlex crate before version 1.2.1 for Rust contains a vulnerability that allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection. The vulnerability was discovered and disclosed on July 27, 2025, affecting all versions of the shlex crate prior to 1.2.1 (NVD, RUSTSEC).

The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper encoding or escaping of output (CWE-116). When the output of quote or join functions is passed to a shell, a single command argument could be interpreted as multiple arguments due to unescaped special characters (GitHub Advisory).

While the vulnerability doesn't directly allow arbitrary command execution through command substitution, it can lead to undesired consequences when multiple arguments are injected where only one is expected. Depending on the command being executed, this could potentially result in arbitrary command execution. The issue is particularly concerning when dealing with glob expansion through the { character and word separation through the \xa0 character (RUSTSEC).

The primary mitigation is to upgrade to version 1.2.1 or preferably 1.3.0, which includes additional security improvements. For those unable to upgrade, a workaround involves checking for the bytes { and \xa0 in quote/join input or output. Version 1.3.0 also introduces new tryquote and tryjoin APIs that handle nul bytes more safely by returning Err if the input contains them (RUSTSEC).