Advisory #63
TitleZsh recursive command expansion vulnerability
CVE IDCVE-2021-45444
Affected productZsh
Affected versions<= 5.8
Vulnerability typeCWE-167 (Improper Handling of Additional Special Element)
DescriptionIn Zsh 5.8 or below, malicious command outputs inside the prompt perform recursive PROMPT_SUBST expansion, which allows a malicious command output to execute arbitrary commands.
StatusFixed in 5.8.1
RecommendationUpdate to 5.8.1 or above.