Description
shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A quadratic-time parsing flaw in shell-quote causes the parse() routine to use an inefficient reduce strategy that reallocates the entire token array on every iteration. When an attacker can supply any whitespace-separated string to a code path that calls parse(), the single-threaded Node.js event loop locks up, halting application responsiveness. The flaw is purely an availability issue with no code execution or data disclosure, and is classified as CWE-407.

Affected Systems

The vulnerability affects the npm package shell-quote, specifically all versions earlier than 1.8.5 as maintained by the ljharb maintainer. Any project that imports a vulnerable version and passes user-controlled input to parse() is at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity DoS risk. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that no widespread exploits have been documented. Attackers would need only to inject simple space-separated words into any call to parse(); the vector is inferred from the description and is likely via exposed application endpoints or libraries that process user data.

Generated by OpenCVE AI on June 25, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the shell-quote package to version 1.8.5 or newer.
  • Update all projects that depend on the vulnerable package and redeploy the new version.
  • Run a dependency audit (e.g., npm audit) to ensure no other instances of shell-quote < 1.8.5 remain in the codebase.

Generated by OpenCVE AI on June 25, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ljharb
Ljharb shell-quote
Vendors & Products Ljharb
Ljharb shell-quote

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.
Title shell-quote parse() is quadratic in token count, enabling denial of service
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ljharb Shell-quote
cve-icon MITRE

Status: PUBLISHED

Assigner: harborist

Published:

Updated: 2026-06-25T04:48:36.351Z

Reserved: 2026-06-25T04:39:03.579Z

Link: CVE-2026-13311

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:45:05Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity