Description
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Published: 2026-05-22
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the shell-quote library arises from its `quote()` function not validating the shape of object-token inputs. When an object token contains a `.op` field with line terminators such as newline or Unicode paragraph separators, those characters are not escaped by the per‑character backslash escape logic. POSIX shells interpret a literal newline as a command separator, so any text following the newline is executed as a separate command. This flaw allows an attacker to inject malicious commands that the shell will run, leading to complete compromise of the system running the Node.js process. The weakness corresponds to CWE‑77 and CWE‑78 for input that influences command execution.

Affected Systems

Any Node.js application that depends on the shell-quote npm package and uses its documented APIs—either the `quote()` function or the `parse(cmd, envFn)` helper—is vulnerable. The bug exists in all versions of shell‑quote released before the security‑fix commit 1518179, which introduced strict validation of the `.op` field. All applications that receive external data that could construct an object token, or that call `parse` with an `envFn` that may supply attacker‑influenced tokens, are affected.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity vulnerability, with most conditions for exploitation already satisfied: the flaw is in a widely used npm package, it is reachable through documented interfaces, and it can be triggered without any special privileges. The EPSS score is unavailable, but the absence of a KEV listing does not mitigate the potential for exploitation, especially given the public nature of the vulnerable code. An attacker with the ability to influence the input to `quote()` or `parse()`—for example by supplying a crafted environment variable or API payload—can inject newline characters and execute arbitrary shell commands. The attack vector is likely local to the Node.js runtime, though it could be triggered by network input if the application processes untrusted data. The environment in which the Node process runs determines the scope of the compromise; if the process runs with elevated privileges, the attacker may gain full system control.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the shell-quote dependency to the fixed version that includes commit 1518179 or later, ensuring the strict shape validation is in place.
  • If updating is not immediately possible, audit all uses of `quote()` and `parse()` to verify that any object tokens supplied to them have a `.op` field that matches the allowed operator set and contains no line‑terminator characters; reject or sanitize any tokens that do not comply.
  • Configure application logs or use endpoint monitoring to detect unexpected shell command executions, which can help identify potential abuse of the vulnerability.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6300-1 node-shell-quote security update
Github GHSA Github GHSA GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
Ubuntu USN Ubuntu USN USN-8410-1 shell-quote vulnerability
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ljharb
Ljharb shell-quote
Vendors & Products Ljharb
Ljharb shell-quote
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Title shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`
Weaknesses CWE-77
CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ljharb Shell-quote
cve-icon MITRE

Status: PUBLISHED

Assigner: harborist

Published:

Updated: 2026-05-23T03:04:40.537Z

Reserved: 2026-05-22T12:13:25.893Z

Link: CVE-2026-9277

cve-icon Vulnrichment

Updated: 2026-05-22T14:17:25.193Z

cve-icon NVD

Status : Deferred

Published: 2026-05-22T14:16:30.330

Modified: 2026-05-23T04:16:40.053

Link: CVE-2026-9277

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-22T13:22:38Z

Links: CVE-2026-9277 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:34:21Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')