Intel

AIKIDO-2026-245392

shell-quote is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-13311 Published Jun 26, 2026

75

High Risk

This Affects:

JSshell-quote
0.0.0 - 1.8.4
Fixed in 1.9.0
Are you affected? Scan for Free

TL;DR

The parse function finalizes its token list using a reduce that rebuilds the accumulator through array concatenation on every iteration. Parsing input copies the whole growing array repeatedly, so the work scales quadratically with the number of tokens. A small space-separated string blocks the single-threaded event loop for tens of seconds and denies service to all other requests, and no shell metacharacters are needed to trigger it. The fix pushes entries into the accumulator in linear time instead of reallocating it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses attacker-controlled input.

Background info

shell-quote is vulnerable to Denial of Service (DoS) in versions 0.0.0 - 1.8.4.

How to fix this

Upgrade the shell-quote library to the patch version.