Bug 2492642 (CVE-2026-13311)

Summary: CVE-2026-13311 shell-quote: shell-quote/parse: shell-quote: Denial of Service due to inefficient input parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, alizardo, anpicker, ataylor, bbrownin, bdettelb, bparees, brasmith, cdrage, cmah, cochase, dbruscin, doconnor, dranck, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehugonne, erezende, fdeutsch, ggrzybek, gmalinko, gparvin, hasun, ibolton, janstey, jchui, jfula, jhe, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jraez, jwong, kshier, ktsao, kvanderr, lball, lchilton, lphiri, mstipich, nboldt, ngough, nyancey, oaljalju, omaciel, ometelka, oramraz, pahickey, parichar, pdelbell, pgaikwad, pjindal, psrna, ptisnovs, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rstepani, rushinde, sfeifer, simaishi, slucidi, smullick, sseago, stcannon, sthirugn, stirabos, syedriko, tasato, teagle, thason, ttakamiy, veshanka, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `shell-quote` component. An attacker who can supply a specially crafted string to the `parse()` function can exploit an inefficiency in how the component processes input. This can cause the single-threaded Node.js event loop to be blocked for an extended period, leading to a denial of service (DoS) for the affected system. The vulnerability impacts the availability of the system, with no risk of code execution or data disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2492660, 2492667, 2492668, 2492661, 2492662, 2492663, 2492664, 2492665, 2492666, 2492669, 2492670    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-25 06:02:52 UTC
shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.