RUSTSEC-2025-0116: 
Rust vulnerability analysis and mitigation

The shlex crate before version 1.2.1 for Rust contains a vulnerability that allows unquoted and unescaped instances of the { and non-breaking space characters, which may facilitate command injection. The vulnerability was disclosed on July 27, 2025, and was assigned CVE-2024-58266 (NVD, RedHat).

The vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output). It received varying CVSS scores, with NIST assigning a Critical score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while MITRE assigned a Low score of 3.2 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N) (NVD).

The vulnerability involves three distinct issues: failure to quote characters that can cause single arguments to be interpreted as multiple arguments in a shell, handling of null bytes in strings that cannot be used in Unix command arguments, and lack of escaping for control characters in interactive shells. The overall impact is considered limited, with exploitation requiring high attack complexity and targeting of uncommon scenarios (RedHat).

According to Red Hat, mitigation options are either not available or do not meet their Product Security criteria for ease of use, deployment, and applicability to widespread installation base or stability (RedHat).