{"uuid": "f4c0f277-3b10-4b94-88b2-871782baad5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-w7jw-789q-3m8p", "type": "seen", "source": "https://gist.github.com/alon710/7c6790428586de0d6663a6b961e49e06", "content": "# CVE-2026-9277: CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-09\n> **Full Report:** https://cvereports.com/reports/CVE-2026-9277\n\n## Summary\nA technical breakdown of the OS command injection vulnerability in the shell-quote NPM package (CVE-2026-9277 / GHSA-w7jw-789q-3m8p). The bug resides in the character-by-character backslash-escaping logic applied to the .op field of object-tokens within the quote() function, which fails to match and escape line terminators due to a regex matching oversight in JavaScript. This allows unauthenticated remote attackers to execute arbitrary shell commands if they can control inputs processed by this library.\n\n## TL;DR\nAn OS command injection vulnerability in shell-quote < 1.8.4 allows arbitrary command execution. The quote() function fails to escape line terminators within object-tokens due to a regular expression omission, enabling attackers to inject newlines that act as command separators in POSIX shells.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78 / CWE-77\n- **Attack Vector**: Network (AV:N)\n- **CVSS Severity**: 8.1 (High)\n- **EPSS Score**: 0.00068\n- **Exploit Status**: Proof of Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running shell-quote < 1.8.4\n- **shell-quote**: >= 1.1.0, < 1.8.4 (Fixed in: `1.8.4`)\n\n## Mitigation\n\n- Upgrade shell-quote to version 1.8.4 or newer.\n- Implement input validation to ensure only string elements are passed to quote()\n- Sanitize any custom callbacks passed to parse() to prevent returning unchecked object-tokens\n\n**Remediation Steps:**\n1. Identify applications utilizing shell-quote in package.json\n2. Execute 'npm install shell-quote@1.8.4' to apply the official patch\n3. Verify dependencies recursively using 'npm audit' to ensure no transitive vulnerabilities remain\n\n## References\n\n- [https://github.com/advisories/GHSA-w7jw-789q-3m8p](https://github.com/advisories/GHSA-w7jw-789q-3m8p)\n- [https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p](https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p)\n- [http://www.openwall.com/lists/oss-security/2026/05/23/2](http://www.openwall.com/lists/oss-security/2026/05/23/2)\n- [https://github.com/ljharb/shell-quote](https://github.com/ljharb/shell-quote)\n- [https://www.npmjs.com/package/shell-quote](https://www.npmjs.com/package/shell-quote)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-9277) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T14:41:30.000000Z"}