Skip to main content

shell-quote CVE-2026-13311

| EUVDEUVD-2026-39180 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-06-25 7ffcee3d-2c14-4c3e-b844-86c6a321a158
8.7
CVSS 4.0 · Vendor: 7ffcee3d-2c14-4c3e-b844-86c6a321a158
Share

Severity by source

Vendor (7ffcee3d-2c14-4c3e-b844-86c6a321a158) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated trigger via plain input with no user interaction; impact is availability-only event-loop blocking, so C:N/I:N and A:H, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (7ffcee3d-2c14-4c3e-b844-86c6a321a158).

CVSS VectorVendor: 7ffcee3d-2c14-4c3e-b844-86c6a321a158

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 05:32 vuln.today

DescriptionCVE.org

shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

AnalysisAI

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint feeding input to parse()
Delivery
Craft small space-separated word payload
Exploit
Submit single unauthenticated request
Execution
Trigger O(n^2) token finalization
Persist
Block Node.js event loop
Impact
Service-wide denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application passes an attacker-controlled string into a code path that calls shell-quote's parse() function on a version prior to 1.8.5 - that dependency-and-data-flow condition is the real prerequisite, not any product configuration flag. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes network-reachable, low-complexity, unauthenticated exploitation with VA:H (high availability impact) and no confidentiality or integrity impact, yielding the reported 8.7 score - high specifically because availability damage is easy and unconditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web endpoint or API that forwards a user-supplied field (for example a search string, filename, or command argument) into a shell-quote parse() call. They submit a single small request containing a long run of space-separated words; the quadratic parsing pins a CPU core and blocks the Node.js event loop, freezing all concurrent requests on that instance. …
Remediation Vendor-released patch: upgrade shell-quote to version 1.8.5 or later, which replaces the quadratic concat-based accumulator; this is the primary and complete fix and should be applied directly and via transitive dependency overrides (npm 'overrides' or yarn 'resolutions') since shell-quote is frequently pulled in indirectly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct dependency audit to identify all Node.js applications using shell-quote versions prior to 1.8.5. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-13311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy