CVE-2026-9277
Reported by harborist · Published May 22, 2026
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| shell-quote | 1.1.0 | |
| shell-quote | 1.1.0 |
Timeline
- May 22, 2026 CVE Published
- May 22, 2026 PoC Published
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
- May 27, 2026 EPSS Score
- May 28, 2026 EPSS Score
- May 29, 2026 EPSS Score
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- Jun 1, 2026 EPSS Score
References
- GHSA-w7jw-789q-3m8p vendor-advisory
- Fix commit patch
- product
- product