[Pkg-javascript-devel] Bug#1140921: node-shell-quote: CVE-2026-13311

Salvatore Bonaccorso carnil at debian.org
Sun Jun 28 13:09:05 BST 2026


Source: node-shell-quote
Version: 1.8.4+~1.7.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for node-shell-quote.

CVE-2026-13311[0]:
| shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using
| Array.prototype.concat as a reduce accumulator, which reallocates
| and copies the entire growing array on every iteration. As a result
| parse() runs in O(n^2) time relative to the number of input tokens.
| An attacker who can supply an attacker-controlled string to any code
| path that calls parse() (no shell metacharacters are required; plain
| space-separated words suffice) can block the single-threaded Node.js
| event loop for an extended period with a small input, resulting in a
| denial of service. There is no code execution or data disclosure;
| impact is to availability only. Fixed in 1.8.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13311
    https://www.cve.org/CVERecord?id=CVE-2026-13311
[1] https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
[2] https://github.com/ljharb/shell-quote/commit/7ff5488599d01c323514f02f5efb74088dd134ec

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list