Windows API only provides a single string containing all the arguments to the spawned process ... Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.