Skip to main content

shell-quote EUVDEUVD-2026-31440

| CVE-2026-9277 CRITICAL
OS Command Injection (CWE-78)
2026-05-22 harborist GHSA-w7jw-789q-3m8p
9.2
CVSS 4.0 · Vendor: harborist
Share

Severity by source

Vendor (harborist) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

AC:H because exploitation needs a caller feeding attacker-influenced object tokens to quote() then to a shell; PR:N/UI:N as the library imposes no auth, and full command execution gives C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (harborist).

CVSS VectorVendor: harborist

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
Jun 30, 2026 - 03:31 vuln.today
Analysis Updated
Jun 30, 2026 - 03:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Analysis Generated
May 22, 2026 - 14:00 vuln.today

DescriptionCVE.org

shell-quote's quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser's control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.

AnalysisAI

Shell command injection in the npm shell-quote library (versions >= 1.1.0, <= 1.8.3) lets attacker-influenced object tokens smuggle a literal newline through quote(), turning the supposedly shell-safe output into multiple commands. The .op field of an object token was escaped character-by-character with /(.)/g, which in JavaScript does not match line terminators, so a newline survived unescaped and POSIX shells treat everything after it as a second command. Publicly available exploit code exists and a vendor patch (1.8.4) is released, though EPSS is low (0.05%) and SSVC marks current exploitation as none, indicating opportunity-but-not-yet-widespread risk.

Technical ContextAI

shell-quote is a widely-used JavaScript/Node.js utility that builds shell-safe command strings via quote() and parses them via parse(); it is meant to act as a shell-safety boundary so callers can hand its output to a shell. The flaw (CWE-78, OS Command Injection) stems from quote()'s handling of object tokens - a documented part of the API where tokens can be shapes like { op: ';' }, { op: 'glob', pattern } or { comment }. The .op value was backslash-escaped with the regex /(.)/g, and the dot in JavaScript regex (without the s flag) does not match line terminators \n, \r, U+2028, or U+2029, so any line terminator embedded in .op passed through verbatim. Because sh/bash/dash/zsh interpret a literal newline as a command separator, the unescaped newline ends the intended token and starts a fresh command line. The fix replaces per-character escaping with strict shape validation: .op must match the parser's control-operator allowlist (||, &&, ;;, |&, <(, <<<, >>, >&, <&, &, ;, (, ), |, <, >), glob patterns and comments must contain no line terminators, and any other object shape throws TypeError.

Affected ProductsAI

The affected component is the npm package shell-quote (maintained by ljharb), versions >= 1.1.0 through <= 1.8.3, fixed in 1.8.4 (package npm/shell-quote). Distribution rebuilds are also affected: Red Hat has published errata RHSA-2026:26072, 26077, 26079, 26080, 26090, 26225, and 26234 covering products that bundle the library. The vendor advisory is GHSA-w7jw-789q-3m8p (https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p), with additional references at https://www.npmjs.com/package/shell-quote, NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-9277), VulDB (https://vuldb.com/vuln/365199), ENISA EUVD EUVD-2026-31440, and the oss-security post at http://www.openwall.com/lists/oss-security/2026/05/23/2.

RemediationAI

Vendor-released patch: upgrade shell-quote to 1.8.4 or later (npm install shell-quote@^1.8.4, then verify transitive dependencies with npm ls shell-quote and refresh lockfiles), as fixed in commit 1518179 and described in advisory GHSA-w7jw-789q-3m8p. For Red Hat-based systems, apply the corresponding errata (RHSA-2026:26072/26077/26079/26080/26090/26225/26234) for any product that bundles the library. If you cannot upgrade immediately, the actionable compensating control is to stop passing object tokens whose .op/pattern/comment fields originate from untrusted input into quote(): sanitize or whitelist .op values against the parser's control-operator allowlist before calling quote(), and reject any token containing line terminators (\n, \r, U+2028, U+2029) - side effect: this duplicates the upstream fix logic and must be maintained in your own code. Where feasible, also avoid handing quote() output to a real shell (use child_process execFile/spawn with an argument array and shell:false), which removes the shell-interpretation step entirely - side effect: features relying on shell syntax (pipes, globbing) stop working. Audit any parse(cmd, envFn) usage where envFn consults an attacker-influenced data source and can return object tokens.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-31440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy