BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
FIX SOON No patch yet
High impact vulnerability.
No patch available yet. Apply workarounds and monitor.

Shellshock

Arbitrary command execution via crafted environment variables

Severity CVSS CRITICAL 9.8
Exploitation Shoulder No known exploits
Fix available Unknown
CVE-2014-6271

Should I care?

This matters if:
  • Apps executing system commands with user input
  • CI/CD or build tools that shell out
Not relevant if:
  • No shell commands in your application code
  • All commands use fixed arguments

How it breaks apps

1 User input passed to shell command
2 Command string is injectable
3 Attacker runs arbitrary commands
4 Full system compromise

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2014-6271 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only LOW
Minimal risk in isolated dev environments.

AI Development Risk

This vulnerability pattern is commonly introduced when AI generates code.

CWE-78
OS command injection
AI-generated code often shells out to system commands with unsanitized user input.

Detection Rules 3 rules

CWE-78 3 rules

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Command Injection via os/exec
Command Injection via child_process
OS Command Injection

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index