shell-quote is vulnerable to Denial of Service (DoS)
75
High Risk
The parse function finalizes its token list using a reduce that rebuilds the accumulator through array concatenation on every iteration. Parsing input copies the whole growing array repeatedly, so the work scales quadratically with the number of tokens. A small space-separated string blocks the single-threaded event loop for tens of seconds and denies service to all other requests, and no shell metacharacters are needed to trigger it. The fix pushes entries into the accumulator in linear time instead of reallocating it.
You are affected if you are using a version that falls within the vulnerable range and your application parses attacker-controlled input.
shell-quote is vulnerable to Denial of Service (DoS) in versions 0.0.0 - 1.8.4.
Upgrade the shell-quote library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant