Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJNb=ZrewJXpaRvMGj563+n3vWEH=Fijy45v52ccmvUKL=N7ng@mail.gmail.com>
Date: Fri, 22 May 2026 17:28:20 -0700
From: Akshat Sinha <akshat.snh@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-9277: shell-quote before 1.8.4 command injection in quote()

shell-quote before 1.8.4 contains a command injection issue in quote()
when applications pass object tokens with attacker-influenced .op values
to quote() and then execute the resulting string through a POSIX shell.

Affected versions: <= 1.8.3
Fixed version: 1.8.4
CVSS v3.1: 8.1 (High)

The issue is caused by quote() escaping .op character-by-character using
/(.)/g. In JavaScript this does not match line terminators, so a newline
in .op can pass through unescaped. In POSIX shells, a literal newline is
a command separator, so attacker-controlled content after it may execute
as a second command.

This requires a narrower integration pattern than ordinary string-based
shell injection: the application must pass object tokens into quote().
However, object tokens are part of the documented API surface, including
via parse(cmd, envFn) when envFn returns an object.

Proof of concept (Node.js, shell-quote 1.8.3):

const { quote } = require('shell-quote');
const s = quote([{ op: ';\nid' }]);
console.log(JSON.stringify(s));
require('child_process').execSync(s, { shell: '/bin/sh' });

In local testing, this produced a quoted string containing a literal
newline and caused /bin/sh to execute `id` as a second command.

The fix in 1.8.4 replaces escaping of arbitrary .op strings with strict
validation and allowlisting of valid operator values.

Timeline:
- 2026-05-09: issue reported
- 2026-05-22: advisory published, CVE assigned, and 1.8.4 released


References:
https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
https://www.npmjs.com/package/shell-quote

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.