Source: node-shell-quote Version: 1.8.4+~1.7.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-shell-quote. CVE-2026-13311[0]: | shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using | Array.prototype.concat as a reduce accumulator, which reallocates | and copies the entire growing array on every iteration. As a result | parse() runs in O(n^2) time relative to the number of input tokens. | An attacker who can supply an attacker-controlled string to any code | path that calls parse() (no shell metacharacters are required; plain | space-separated words suffice) can block the single-threaded Node.js | event loop for an extended period with a small input, resulting in a | denial of service. There is no code execution or data disclosure; | impact is to availability only. Fixed in 1.8.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-13311 https://www.cve.org/CVERecord?id=CVE-2026-13311 [1] https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv [2] https://github.com/ljharb/shell-quote/commit/7ff5488599d01c323514f02f5efb74088dd134ec Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
