Wiz
Vulnerability DatabaseGHSA-r7qv-8r2h-pg27

GHSA-r7qv-8r2h-pg27
Rust vulnerability analysis and mitigation

Overview

The vulnerability GHSA-r7qv-8r2h-pg27 affects the Rust shlex crate, which was discovered and disclosed on January 22, 2024. This high-severity vulnerability encompasses multiple issues involving the quote API in versions prior to 1.3.0. The affected package is the shlex crate for Rust, specifically impacting functions including shlex::bytes::join, shlex::bytes::quote, shlex::join, and shlex::quote in versions below 1.2.1 (GitHub Advisory, RustSec Advisory).

Technical details

The vulnerability consists of three distinct issues: First, a failure to properly quote characters where the bytes '{' and '\xa0' could appear unquoted and unescaped in command arguments. Second, a dangerous API behavior regarding null bytes, where the quote and join APIs allowed null bytes that cannot be properly handled in Unix command arguments or environment variables. Third, there was a lack of documentation regarding interactive shell risks, where control characters could potentially cause misbehavior including arbitrary command injection in interactive shell environments (GitHub Advisory).

Impact

When exploited, this vulnerability could cause a single command argument to be interpreted as multiple arguments when passed to a shell. While this doesn't directly enable arbitrary command execution, it could lead to undesired consequences depending on the command being executed, potentially including arbitrary command execution in specific scenarios. Additionally, in interactive shell environments, control characters could cause misbehavior leading to potential command injection (GitHub Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to version 1.3.0, which introduces new try_quote and try_join APIs that properly handle null bytes and includes improved documentation. For users unable to upgrade immediately, version 1.2.1 offers a minimal fix for the character quoting issue. Temporary workarounds include manually checking for the bytes '{' and '\xa0' in quote/join input or output, and checking for null bytes in input or output (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22257HIGH8.8
  • RustRust
  • salvo
NoYesJan 08, 2026
CVE-2026-22698HIGH8.7
  • RustRust
  • sm2
NoNoJan 10, 2026
CVE-2026-22699HIGH7.5
  • RustRust
  • sm2
NoNoJan 10, 2026
GHSA-g59m-gf8j-gjf5LOW3.7
  • RustRust
  • aws-sdk-eventbridge
NoYesJan 08, 2026
GHSA-585q-cm62-757jLOW2
  • RustRust
  • mnl
NoNoJan 09, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo