Input Validation Flaw in shell-quote Affects JavaScript Applications
CVE-2026-9277

9.2CRITICAL

Key Information:

Status
Shell-quote
Vendor
CVE Published:
22 May 2026

What is CVE-2026-9277?

The shell-quote library contains an input validation flaw in its quote() function, which fails to properly validate object-token inputs against the expected operator model of its parse() function. Specifically, the .op field can remain unescaped for line terminators due to the current escaping method. This allows attackers to insert newlines into commands, which are interpreted by POSIX shells as command separators, leading to the execution of unintended commands. This vulnerability can be exploited through direct input of object tokens or by manipulating the environment for the parse(cmd, envFn) function. The issue has been addressed by implementing strict shape validation for the .op field, ensuring compliance with a predefined allowlist and preventing line terminators from causing command injection vulnerabilities.

Affected Version(s)

shell-quote 1.1.0 < 1.8.4

References

https://github.com/ljharb/shell-quote/security/advisories...
vendor-advisory
https://github.com/ljharb/shell-quote/commit/1518179
patch
https://github.com/ljharb/shell-quote
product

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Akshat Sinha (@akshatgit)
Jordan Harband (@ljharb)
.