{"id":"CVE-2026-13311","summary":"shell-quote parse() is quadratic in token count, enabling denial of service","details":"shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.","aliases":["GHSA-395f-4hp3-45gv"],"modified":"2026-07-15T01:49:14.796782655Z","published":"2026-06-25T04:48:36.351Z","related":["openSUSE-SU-2026:11145-1","openSUSE-SU-2026:11149-1","openSUSE-SU-2026:21176-1"],"database_specific":{"cwe_ids":["CWE-407"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13311.json","cna_assigner":"harborist"},"references":[{"type":"WEB","url":"https://www.npmjs.com/package"},{"type":"WEB","url":"https://www.npmjs.com/package/shell-quote"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13311.json"},{"type":"ADVISORY","url":"https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13311"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ljharb/shell-quote","events":[{"introduced":"0"},{"fixed":"db09fc7a9e3546807c19e2de2682ec31112a6520"}],"database_specific":{"cpe":"cpe:2.3:a:shell-quote_project:shell-quote:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.8.4"},{"fixed":"1.9.0"}],"source":["AFFECTED_FIELD","CPE_RANGE"]}}],"versions":["v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.0","v1.4.3","v1.4.2","v1.4.1","v1.4.0","v1.3.3","v1.3.2","v1.3.1","v1.3.0","v1.2.0","v1.1.0","v1.0.0","v0.1.1","v0.1.0","v0.0.1","v0.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13311.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}