EXECUTIVE SUMMARY:
CVE-2026-9277 with a CVSS score of 8.1 is a command‑injection flaw in the npm package shell‑quote, affecting versions 1.1.0 through 1.8.3, where the quote() function fails to properly escape newline characters in object‑token .op fields. The function backslashes each character using a regular expression that does not match line terminators, allowing an attacker‑controlled newline to pass unescaped; POSIX shells treat an unescaped newline as a command separator, so any payload placed after the newline is executed as a second command. An attacker can exploit this by supplying a crafted object such as { op: ';\nmalicious' } either directly to quote() or indirectly via the envFn callback of parse(), requiring only network‑accessible input and no prior privileges or user interaction. Successful exploitation yields arbitrary shell command execution on the host running the vulnerable code, granting the attacker the ability to read, modify, or delete data and disrupt services. Exploitation is possible whenever the application feeds attacker‑influenced object tokens into quote() and subsequently passes the quoted string to a system shell, making the vulnerability particularly dangerous for services that assemble commands from user data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-9277 with a CVSS score of 8.1 is a command‑injection flaw in the npm package shell‑quote, affecting versions 1.1.0 through 1.8.3, where the quote() function fails to properly escape newline characters in object‑token .op fields. The function backslashes each character using a regular expression that does not match line terminators, allowing an attacker‑controlled newline to pass unescaped; POSIX shells treat an unescaped newline as a command separator, so any payload placed after the newline is executed as a second command. An attacker can exploit this by supplying a crafted object such as { op: ';\nmalicious' } either directly to quote() or indirectly via the envFn callback of parse(), requiring only network‑accessible input and no prior privileges or user interaction. Successful exploitation yields arbitrary shell command execution on the host running the vulnerable code, granting the attacker the ability to read, modify, or delete data and disrupt services. Exploitation is possible whenever the application feeds attacker‑influenced object tokens into quote() and subsequently passes the quoted string to a system shell, making the vulnerability particularly dangerous for services that assemble commands from user data.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-w7jw-789q-3m8p