The Locutus https://github.com/kvz/locutus up to and including version 2.0.11 function php/exec/escapeshellarg allows to execute arbitrary commands. Locutus is meant to assimilate PHP libraries into Javascript. For PHP https://www.php.net/manual/en/function.escapeshellarg.php is meant to escape a string to be used as a shell argument. However, when used in Locutus this action can be bypassed.
It's not always simple to correctly implement full blown PHP libraries in Javascript code to ease the use for developers more accomodated to PHP language. In this particular scenario it resulted in a vulnerability. The vulnerability is present because function implemented here is not correctly sanitizing two single quotes <''> allowing to escape the argument passed. For verification POC files can be found here node file and php file
Vendor contacted 5/27/2020
Received no response in 30 days
Public disclosure on 7/1/2020