If you run a web server that generates its own CAPTCHA using something like ImageMagick, or call system() to gzip something, you could possibly be vulnerable.
Never underestimate vulnerabilities and the way people can use them, or even combine them, to exploit systems.
Consider how many people touch an enterprise system, or even a system at a smaller shop. Consider how many people touch shared hosting servers or even dedicated boxes.
Do /you/ trust all of them, along with all the authors of all the software exposed to the web (or touched by something exposed to the web) on that system?
On shared hosting systems, you have to design the system with the assumption that someone is always compromised. So, additional accounts getting compromised should just be business as usual.
Seriously, if you're on shared hosting, it's almost certain that at least one person on the server is compromised/malicious
Why would it be messed up if it's true? The Unix philosophy is to compose complex functionality using lots of small tools. Shelling out to existing tools instead of reinventing your own makes total sense.
I have seen implementations that shell out to bash scripts throughout my career in web and back-end development. It's a serious antipattern in the wild.
If you run a web server that generates its own CAPTCHA using something like ImageMagick, or call system() to gzip something, you could possibly be vulnerable.
Never underestimate vulnerabilities and the way people can use them, or even combine them, to exploit systems.