npm package
shell-quote
pkg:npm/shell-quote
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-9277 | Hig | 8.1 | >= 1.1.0, < 1.8.4 | 1.8.4 | May 22, 2026 | shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te | |
| CVE-2021-42740 | — | >= 1.6.3, < 1.7.3 | 1.7.3 | Oct 21, 2021 | The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi | ||
| CVE-2016-10541 | — | < 1.6.1 | 1.6.1 | May 31, 2018 | The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. |
- affected >= 1.1.0, < 1.8.4fixed 1.8.4
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te
- CVE-2021-42740Oct 21, 2021affected >= 1.6.3, < 1.7.3fixed 1.7.3
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
- CVE-2016-10541May 31, 2018affected < 1.6.1fixed 1.6.1
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.