- npm
- nodejs
- command-injection
- cve
- supply-chain
news
shell-quote quote() Newline Command Injection (CVE-2026-9277)
Sploitus-indexed PoC shows object-token newline in shell-quote quote() becomes POSIX command separator; fix in 1.8.4.
Summary
CVE-2026-9277 is a command injection vulnerability in the widely used shell-quote npm package (versions 1.1.0 – 1.8.3). The quote() function fails to escape line terminators (\n, \r, U+2028, U+2029) in object-token .op fields because its /(.)/g escape regex does not match newlines. POSIX shells treat literal newlines as command separators, so attacker-controlled content after the newline executes as a second command. A verification PoC is indexed on Sploitus. CVSS 9.2 (Sploitus) / 8.1 (GHSA).
OFFSITE.DARK did not release the PoC; Sploitus is cited as index source.
Technical Details
Vulnerable pattern when callers pass object tokens to quote() and execute the result via /bin/sh:
const { quote } = require('shell-quote');
const s = quote([{ op: ';\nid' }]);
require('child_process').execSync(s, { shell: '/bin/sh' });
| Aspect | Detail |
|---|---|
| Package | shell-quote (npm) |
| Affected | ≥ 1.1.0, < 1.8.4 |
| Fixed | 1.8.4 |
| CWE | CWE-77 / CWE-78 (command injection) |
| Reachability | Direct { op } construction or parse(cmd, envFn) returning poisoned object tokens |
Fix in 1.8.4: strict allowlist validation for .op values matching parser operators; glob and comment shapes validate patterns and forbid line terminators; unknown shapes throw TypeError.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-9277 |
| Credit | Akshat Sinha |
| Published | 2026-05-22 |
| GHSA | GHSA-w7jw-789q-3m8p |
| Sploitus date | 2026-06-15 |
Impact
Applications that feed object tokens (not plain strings) into quote() and pass output to a shell risk arbitrary command execution. shell-quote is a transitive dependency in many CLI and build-tool chains; impact depends on whether vulnerable call patterns exist in deployed code paths.
Mitigation
- Upgrade
shell-quoteto 1.8.4+ across direct and transitive dependencies (npm ls shell-quote). - Audit code paths calling
quote()with deserialized or user-influenced object arrays. - Prefer
execFile/spawnwith argument arrays instead of shell string concatenation. - Run
npm auditand lockfile refresh in CI after patch propagation.
Sources
- Sploitus — CVE-2026-9277 PoC (index reference)
- NVD — CVE-2026-9277
- oss-sec advisory