CVE-2026-9277 - High Severity Vulnerability
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /client/package.json
Path to vulnerable library: /client/node_modules/shell-quote/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- react-dev-utils-10.2.1.tgz
- ❌ shell-quote-1.7.2.tgz (Vulnerable Library)
Found in HEAD commit: 82d6429ed19093dbc56c092123fe7358b66c67b7
Found in base branch: master
Vulnerability Details
shell-quote's "quote()" function did not validate object-token inputs against the operator model used by "parse()". The ".op" field was backslash-escaped character by character using "/(.)/g", which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in ".op" therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of "{ op: '...\n...' }" from external input, and (2) via "parse(cmd, envFn)" when "envFn" returns object tokens whose ".op" is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: ".op" must match the parser's control-operator allowlist; "{ op: 'glob', pattern }" validates "pattern" and forbids line terminators; "{ comment }" validates "comment" and forbids line terminators; any other object shape throws "TypeError".
Publish Date: 2026-05-22
URL: CVE-2026-9277
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-22
Fix Resolution: https://github.com/ljharb/shell-quote.git - v1.8.4,shell-quote - 1.8.4
Step up your Open Source Security Game with Mend here
CVE-2026-9277 - High Severity Vulnerability
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /client/package.json
Path to vulnerable library: /client/node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in HEAD commit: 82d6429ed19093dbc56c092123fe7358b66c67b7
Found in base branch: master
shell-quote's "quote()" function did not validate object-token inputs against the operator model used by "parse()". The ".op" field was backslash-escaped character by character using "/(.)/g", which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in ".op" therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of "{ op: '...\n...' }" from external input, and (2) via "parse(cmd, envFn)" when "envFn" returns object tokens whose ".op" is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: ".op" must match the parser's control-operator allowlist; "{ op: 'glob', pattern }" validates "pattern" and forbids line terminators; "{ comment }" validates "comment" and forbids line terminators; any other object shape throws "TypeError".
Publish Date: 2026-05-22
URL: CVE-2026-9277
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-05-22
Fix Resolution: https://github.com/ljharb/shell-quote.git - v1.8.4,shell-quote - 1.8.4
Step up your Open Source Security Game with Mend here