vulnerability

FreeBSD: VID-d923fb0c-8c2f-11ec-aa85-0800270512f4 (CVE-2021-45444): zsh -- Arbitrary command execution vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:H/Au:N/C:P/I:P/A:P)	Feb 12, 2022	Nov 4, 2022	Dec 10, 2025

Severity

CVSS

(AV:N/AC:H/Au:N/C:P/I:P/A:P)

Published

Feb 12, 2022

Added

Nov 4, 2022

Modified

Dec 10, 2025

Description

Marc Cornellà reports: Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

Solution

freebsd-upgrade-package-zsh

References

CVE-2021-45444
https://attackerkb.com/topics/CVE-2021-45444

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today