Skip to main content

Shell Quote

2 CVEs product

Monthly

CVE-2026-13311 HIGH This Week

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.

Node.js Denial Of Service RCE Shell Quote Red Hat +1
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2021-42740 npm CRITICAL PATCH Act Now

The shell-quote package before 1.7.3 for Node.js allows command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Node.js Command Injection Shell Quote
NVD GitHub
CVSS 3.1
9.8
EPSS
4.3%
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.

Node.js Denial Of Service RCE +3
NVD GitHub VulDB
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The shell-quote package before 1.7.3 for Node.js allows command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Node.js Command Injection +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy