#1140921 node-shell-quote: CVE-2026-13311

Package:
src:node-shell-quote
Source:
src:node-shell-quote
Submitter:
Salvatore Bonaccorso
Date:
2026-06-28 12:37:02 UTC
Severity:
normal
Tags:
#1140921#5
Date:
2026-06-28 12:09:05 UTC
From:
To:
Hi,

The following vulnerability was published for node-shell-quote.

CVE-2026-13311[0]:
| shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using
| Array.prototype.concat as a reduce accumulator, which reallocates
| and copies the entire growing array on every iteration. As a result
| parse() runs in O(n^2) time relative to the number of input tokens.
| An attacker who can supply an attacker-controlled string to any code
| path that calls parse() (no shell metacharacters are required; plain
| space-separated words suffice) can block the single-threaded Node.js
| event loop for an extended period with a small input, resulting in a
| denial of service. There is no code execution or data disclosure;
| impact is to availability only. Fixed in 1.8.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13311
https://www.cve.org/CVERecord?id=CVE-2026-13311
[1] https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
[2] https://github.com/ljharb/shell-quote/commit/7ff5488599d01c323514f02f5efb74088dd134ec

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1140921#8
Date:
2026-06-28 12:17:08 UTC
From:
To:
Hello,

Bug #1140921 in node-shell-quote reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-shell-quote/-/commit/80fc744f7015d1e14a8a237ecb415102a7ce7c80

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140921

#1140921#13
Date:
2026-06-28 12:17:06 UTC
From:
To:
Hello,

Bug #1140921 in node-shell-quote reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-shell-quote/-/commit/80fc744f7015d1e14a8a237ecb415102a7ce7c80

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140921

#1140921#18
Date:
2026-06-28 12:36:29 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
node-shell-quote, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-shell-quote package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 28 Jun 2026 14:18:14 +0200
Source: node-shell-quote
Architecture: source
Version: 1.9.0+~1.7.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 1140921
Changes:
 node-shell-quote (1.9.0+~1.7.5-1) unstable; urgency=medium
 .
   * Team upload
   * Drop @types/shell-quote
   * New upstream version (Closes: #1140921, CVE-2026-13311)
Checksums-Sha1:
 e57a602f2514fc5273ec718102fc4b2780b81383 2476 node-shell-quote_1.9.0+~1.7.5-1.dsc
 6db4704742d307cd6d604e124e3ad6cd5ed943f3 2193 node-shell-quote_1.9.0+~1.7.5.orig-types-shell-quote.tar.gz
 85cd58417eae695899826273e92eaeb5975f9605 22045 node-shell-quote_1.9.0+~1.7.5.orig.tar.gz
 c32f8a2464c465dc7b22ece4899d7d23997095eb 3100 node-shell-quote_1.9.0+~1.7.5-1.debian.tar.xz
Checksums-Sha256:
 d0d2c5d5de441eafb62f9cf428239f38e75972b685d3c365e1b51e3923f41dae 2476 node-shell-quote_1.9.0+~1.7.5-1.dsc
 f9ebe399f6d1c6f23d772fc113a6f5600102fbe707dd6e7ac87bd5dc6a135ff2 2193 node-shell-quote_1.9.0+~1.7.5.orig-types-shell-quote.tar.gz
 2b96a62b42becc3a6def069e3c23b5dd1907c38ad979d937ca26a4041f7fa5dd 22045 node-shell-quote_1.9.0+~1.7.5.orig.tar.gz
 7ba18c107fd877269368ce97eeb2a66f3326cae460d8cd01044c1caa01099a67 3100 node-shell-quote_1.9.0+~1.7.5-1.debian.tar.xz
Files:
 ce2ae972ef823fc7da07c2c1663a7931 2476 javascript optional node-shell-quote_1.9.0+~1.7.5-1.dsc
 1a248d02401f7738169044d9bf08e636 2193 javascript optional node-shell-quote_1.9.0+~1.7.5.orig-types-shell-quote.tar.gz
 6fa20a20b7e9470d0ac7328f41d6ea3b 22045 javascript optional node-shell-quote_1.9.0+~1.7.5.orig.tar.gz
 372382a68f60600f7352b8c2ab721904 3100 javascript optional node-shell-quote_1.9.0+~1.7.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmpBEXwACgkQ9tdMp8mZ
7umjLA//ZF6ppIERuU4dMIZcg1sZjNuBsykiJtL2RoHgd4rdPpzlV1pXmKNmh6Pq
dJJVmyyORU8+eOdPcUpESKXACOOQMvFvZ55WqEq8gymsdhfeQqju60R4VMp+AeP1
0GxNSm06Xj/9pXtiHPlyUXP8PUvF5bFn7eq6+fHT7FcNYRhAEsn6LvWFQ2j6AXck
uXxt4wJnpLhwTRABFLckyRMj3r2ESLaH/TuXHlMueNsra2f4sS/a7oYID/50bocK
FFEMA9/94RrOkDV0DepZpV8umPmDZuaMMo26UT2ARSSvAkDoDdhVPbBRG8lZO394
7HWhrb+1aK/kScXFnV9jLQMxLLCjvOOUwtVP0I+eU3eXTGPACBw88iZE41eCmm5V
CgFDgkxJgfwwttxtwwC1i82NzfWejRPzn7T7gh4SzhNkp8amklc1ZbcU3Fyj0/++
eOPYUnOWKOPGF8Vfgy3kFiz6jlRd9v4XutYqpif8wkCfy/g9GhJpX9kz8psoj0oi
1Ma4CWnSNLHMeL0mgJAKW6wJHOY/i1DkD4hwcMqKN148J7kK4lccW/LBIjIGEcIr
LI/XmK9cezdTlNcBBg1kf7etkFobazR4PibqKdLTrXe5GmdhavttuGy24hsTM5VF
SRH1CdMPm5eNYkI33Ukv04rSGTNcGzWpyyvTme60RWjhjkGUZZQ=
=iYw2
-----END PGP SIGNATURE-----