CVE-2026-9277: CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect

CVE-2026-9277: OS Command Injection in shell-quote via Object-Token Line Terminator Parsing Defect

Vulnerability ID: CVE-2026-9277
CVSS Score: 8.1
Published: 2026-06-09

A technical breakdown of the OS command injection vulnerability in the shell-quote NPM package (CVE-2026-9277 / GHSA-w7jw-789q-3m8p). The bug resides in the character-by-character backslash-escaping logic applied to the .op field of object-tokens within the quote() function, which fails to match and escape line terminators due to a regex matching oversight in JavaScript. This allows unauthenticated remote attackers to execute arbitrary shell commands if they can control inputs processed by this library.

TL;DR

An OS command injection vulnerability in shell-quote < 1.8.4 allows arbitrary command execution. The quote() function fails to escape line terminators within object-tokens due to a regular expression omission, enabling attackers to inject newlines that act as command separators in POSIX shells.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-78 / CWE-77
• Attack Vector: Network (AV:N)
• CVSS Severity: 8.1 (High)
• EPSS Score: 0.00068
• Exploit Status: Proof of Concept
• CISA KEV Status: Not Listed

Affected Systems

• Node.js applications running shell-quote < 1.8.4
• shell-quote: >= 1.1.0, < 1.8.4 (Fixed in: 1.8.4)

Exploit Details

• Research Advisory: Conceptual proof of concept detailing object token command injection using custom op payloads

Mitigation Strategies

• Upgrade shell-quote to version 1.8.4 or newer.
• Implement input validation to ensure only string elements are passed to quote()
• Sanitize any custom callbacks passed to parse() to prevent returning unchecked object-tokens

Remediation Steps:

1. Identify applications utilizing shell-quote in package.json
2. Execute 'npm install shell-quote@1.8.4' to apply the official patch
3. Verify dependencies recursively using 'npm audit' to ensure no transitive vulnerabilities remain

References

• https://github.com/advisories/GHSA-w7jw-789q-3m8p
• https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
• http://www.openwall.com/lists/oss-security/2026/05/23/2
• https://github.com/ljharb/shell-quote
• https://www.npmjs.com/package/shell-quote

---

Read the full report for CVE-2026-9277 on our website for more details including interactive diagrams and full exploit analysis.