How far this can be in pfSense? Should we concerned about it?
We don't have any way to pass user data into a glob that would result in any means to exploit that.
2.1 will pick up the fix automatically, but even on 2.0.x it's not much to worry about. Not unless you let random people into the shell of the firewall that you don't trust (which you shouldn't be doing anyhow…)