{"id":"CVE-2026-9277","summary":"shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`","details":"shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.","aliases":["GHSA-w7jw-789q-3m8p"],"modified":"2026-07-11T03:54:10.545148966Z","published":"2026-05-22T13:22:38.873Z","related":["CGA-qhgj-wh56-w944","openSUSE-SU-2026:10861-1","openSUSE-SU-2026:10979-1","openSUSE-SU-2026:20839-1","openSUSE-SU-2026:20919-1"],"database_specific":{"cwe_ids":["CWE-77","CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9277.json","cna_assigner":"harborist"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/23/2"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json"},{"type":"WEB","url":"https://www.npmjs.com/package/shell-quote"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26072"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26077"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26079"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26080"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26090"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26225"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26234"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:28010"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:28571"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:29197"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:29795"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:29834"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:30076"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33574"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33683"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34342"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34791"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36754"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-9277"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9277.json"},{"type":"ADVISORY","url":"https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9277"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480741"},{"type":"FIX","url":"https://github.com/ljharb/shell-quote/commit/1518179"},{"type":"PACKAGE","url":"https://github.com/ljharb/shell-quote"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ljharb/shell-quote","events":[{"introduced":"9d4a8f57793e3e212b7798d5de4386e073134dfd"},{"fixed":"ff166e2b63eb5f932bd131a8886a99e9afdf45ae"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.1.0"},{"fixed":"1.8.4"}]}}],"versions":["v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.0","v1.4.3","v1.4.2","v1.4.1","v1.4.0","v1.3.3","v1.3.2","v1.3.1","v1.3.0","v1.2.0","v1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9277.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}