CVE-2026-13311 | shell-quote prior to 1.8.5 finalizes parsed tokens in parse(… | CVSS 7.5 HIGH

Description

shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Metadata

CVE ID: CVE-2026-13311
State: PUBLISHED
Assigner: harborist
Reserved: 2026-06-25 04:39 UTC
Published: 2026-06-25 04:48 UTC
Last updated: 2026-06-25 04:48 UTC
Primary CWE: CWE-407
CWE-407 Inefficient Algorithmic Complexity
Vendor / Product: ljharb / shell-quote
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
ljharb	shell-quote	—	0 ≤ 1.8.4

Weakness (CWE)

CWE	Source	Description
CWE-407	cna	CWE-407 Inefficient Algorithmic Complexity

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

GHSA-395f-4hp3-45gv https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
https://www.npmjs.com/package/shell-quote