Description
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Published: 2026-05-22
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the shell-quote library arises from its `quote()` function not validating the shape of object-token inputs. When an object token contains a `.op` field with line terminators such as newline or Unicode paragraph separators, those characters are not escaped by the per‑character backslash escape logic. POSIX shells interpret a literal newline as a command separator, so any text following the newline is executed as a separate command. This flaw allows an attacker to inject malicious commands that the shell will run, leading to complete compromise of the system running the Node.js process. The weakness corresponds to CWE‑77 and CWE‑78 for input that influences command execution.

Affected Systems

Any Node.js application that depends on the shell-quote npm package and uses its documented APIs—either the `quote()` function or the `parse(cmd, envFn)` helper—is vulnerable. The bug exists in all versions of shell‑quote released before the security‑fix commit 1518179, which introduced strict validation of the `.op` field. All applications that receive external data that could construct an object token, or that call `parse` with an `envFn` that may supply attacker‑influenced tokens, are affected.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity vulnerability, with most conditions for exploitation already satisfied: the flaw is in a widely used npm package, it is reachable through documented interfaces, and it can be triggered without any special privileges. The EPSS score is unavailable, but the absence of a KEV listing does not mitigate the potential for exploitation, especially given the public nature of the vulnerable code. An attacker with the ability to influence the input to `quote()` or `parse()`—for example by supplying a crafted environment variable or API payload—can inject newline characters and execute arbitrary shell commands. The attack vector is likely local to the Node.js runtime, though it could be triggered by network input if the application processes untrusted data. The environment in which the Node process runs determines the scope of the compromise; if the process runs with elevated privileges, the attacker may gain full system control.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the shell-quote dependency to the fixed version that includes commit 1518179 or later, ensuring the strict shape validation is in place.
  • If updating is not immediately possible, audit all uses of `quote()` and `parse()` to verify that any object tokens supplied to them have a `.op` field that matches the allowed operator set and contains no line‑terminator characters; reject or sanitize any tokens that do not comply.
  • Configure application logs or use endpoint monitoring to detect unexpected shell command executions, which can help identify potential abuse of the vulnerability.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Title shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`
Weaknesses CWE-77
CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: harborist

Published:

Updated: 2026-05-23T03:04:40.537Z

Reserved: 2026-05-22T12:13:25.893Z

Link: CVE-2026-9277

cve-icon Vulnrichment

Updated: 2026-05-23T03:04:40.537Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:00:14Z

Weaknesses