CVE-2026-9277: CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect

CVSS Score: 8.1 Published: 2026-06-09 Full Report: https://cvereports.com/reports/CVE-2026-9277

Summary

A technical breakdown of the OS command injection vulnerability in the shell-quote NPM package (CVE-2026-9277 / GHSA-w7jw-789q-3m8p). The bug resides in the character-by-character backslash-escaping logic applied to the .op field of object-tokens within the quote() function, which fails to match and escape line terminators due to a regex matching oversight in JavaScript. This allows unauthenticated remote attackers to execute arbitrary shell commands if they can control inputs processed by this library.

TL;DR

An OS command injection vulnerability in shell-quote < 1.8.4 allows arbitrary command execution. The quote() function fails to escape line terminators within object-tokens due to a regular expression omission, enabling attackers to inject newlines that act as command separators in POSIX shells.

Exploit Status: POC

Technical Details

CWE ID: CWE-78 / CWE-77
Attack Vector: Network (AV:N)
CVSS Severity: 8.1 (High)
EPSS Score: 0.00068
Exploit Status: Proof of Concept
CISA KEV Status: Not Listed

Affected Systems

Node.js applications running shell-quote < 1.8.4
shell-quote: >= 1.1.0, < 1.8.4 (Fixed in: 1.8.4)

Mitigation

Upgrade shell-quote to version 1.8.4 or newer.
Implement input validation to ensure only string elements are passed to quote()
Sanitize any custom callbacks passed to parse() to prevent returning unchecked object-tokens

Remediation Steps:

Identify applications utilizing shell-quote in package.json
Execute 'npm install shell-quote@1.8.4' to apply the official patch
Verify dependencies recursively using 'npm audit' to ensure no transitive vulnerabilities remain

References

Generated by CVEReports - Automated Vulnerability Intelligence

alon710/CVE-2026-9277.md

Select an option

No results found