Description
shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A quadratic-time parsing flaw in shell-quote causes the parse() routine to use an inefficient reduce strategy that reallocates the entire token array on every iteration. When an attacker can supply any whitespace-separated string to a code path that calls parse(), the single-threaded Node.js event loop locks up, halting application responsiveness. The flaw is purely an availability issue with no code execution or data disclosure, and is classified as CWE-407 and CWE-1050.

Affected Systems

The vulnerability affects the npm package shell-quote, specifically all versions earlier than 1.8.5 as maintained by the ljharb maintainer. Any project that imports a vulnerable version and passes user-controlled input to parse() is at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity DoS risk. The EPSS score of 0.0036 indicates a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog, suggesting that no widespread exploits have been documented. Attackers would need only to inject simple space-separated words into any call to parse(); the vector is inferred from the description and is likely via exposed application endpoints or libraries that process user data.

Generated by OpenCVE AI on June 26, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the shell-quote package to version 1.8.5 or newer.
  • Update all projects that depend on the vulnerable package and redeploy the new version.
  • Run a dependency audit (e.g., npm audit) to ensure no other instances of shell-quote < 1.8.5 remain in the codebase.

Generated by OpenCVE AI on June 26, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ljharb
Ljharb shell-quote
Vendors & Products Ljharb
Ljharb shell-quote

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.
Title shell-quote parse() is quadratic in token count, enabling denial of service
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Ljharb Shell-quote
cve-icon MITRE

Status: PUBLISHED

Assigner: harborist

Published:

Updated: 2026-06-25T12:49:41.978Z

Reserved: 2026-06-25T04:39:03.579Z

Link: CVE-2026-13311

cve-icon Vulnrichment

Updated: 2026-06-25T12:49:20.791Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T04:48:36Z

Links: CVE-2026-13311 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:00:17Z

Weaknesses
  • CWE-1050

    Excessive Platform Resource Consumption within a Loop

  • CWE-407

    Inefficient Algorithmic Complexity