CVE-2026-13311

shell-quote parse() is quadratic in token count, enabling denial of service

Assigner: harborist
Reserved: 25.06.2026 Published: 25.06.2026 Updated: 25.06.2026

shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ljharb
Product	shell-quote
Versions	Default: unaffected affected from 0 to 1.8.4 (incl.)

Vendor

ljharb

Product

shell-quote

Versions

Default: unaffected

affected from 0 to 1.8.4 (incl.)

Credits

bibu123456 finder
Kayiz-PT coordinator
ljharb remediation developer

References

Problem Types

CWE-407 Inefficient Algorithmic Complexity CWE

Impacts

CAPEC-130 Excessive Allocation - a small crafted input forces parse() into quadratic-time work, exhausting CPU and blocking the single-threaded Node.js event loop, resulting in denial of service (availability only).