CVE-2026-9277
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
shell-quote's quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser's control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shell-quote | 1.1.0 < 1.8.4 | affected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
Additional References
CVE Program Container
Additional References
shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
Additional References
- https://access.redhat.com/security/cve/CVE-2026-9277
- https://bugzilla.redhat.com/show_bug.cgi?id=2480741
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json
- https://access.redhat.com/errata/RHSA-2026:28010
- https://access.redhat.com/errata/RHSA-2026:34342
- https://access.redhat.com/errata/RHSA-2026:33574
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:29197
- https://access.redhat.com/errata/RHSA-2026:29834
- https://access.redhat.com/errata/RHSA-2026:29795
- https://access.redhat.com/errata/RHSA-2026:26072
- https://access.redhat.com/errata/RHSA-2026:26080
- https://access.redhat.com/errata/RHSA-2026:26077
- https://access.redhat.com/errata/RHSA-2026:26079
- https://access.redhat.com/errata/RHSA-2026:26090
- https://access.redhat.com/errata/RHSA-2026:33683
- https://access.redhat.com/errata/RHSA-2026:30076
- https://access.redhat.com/errata/RHSA-2026:28571
- https://access.redhat.com/errata/RHSA-2026:26225
References
- https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
- https://github.com/ljharb/shell-quote/commit/1518179
- https://github.com/ljharb/shell-quote
- https://www.npmjs.com/package/shell-quote
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.