Bug 2492642 (CVE-2026-13311) - CVE-2026-13311 shell-quote: shell-quote/parse: shell-quote: Denial of Service due to inefficient input parsing
Summary: CVE-2026-13311 shell-quote: shell-quote/parse: shell-quote: Denial of Service...
Keywords:
Status: NEW
Alias: CVE-2026-13311
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2492660 2492667 2492668 2492661 2492662 2492663 2492664 2492665 2492666 2492669 2492670
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 06:02 UTC by OSIDB Bzimport
Modified: 2026-06-25 14:32 UTC (History)
85 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 06:02:52 UTC
shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.


Note You need to log in before you can comment on or make changes to this bug.