Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-13311
PUBLISHED
More InfoOfficial Page
Assigner-harborist
Assigner Org ID-7ffcee3d-2c14-4c3e-b844-86c6a321a158
View Known Exploited Vulnerability (KEV) details
Published At-25 Jun, 2026 | 04:48
Updated At-25 Jun, 2026 | 12:49
Rejected At-
▼CVE Numbering Authority (CNA)
shell-quote parse() is quadratic in token count, enabling denial of service

shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Affected Products
Vendor
ljharb
Product
shell-quote
Collection URL
https://www.npmjs.com/package
Package Name
shell-quote
Default Status
unaffected
Versions
Affected
  • From 0 through 1.8.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-407CWE-407 Inefficient Algorithmic Complexity
Type: CWE
CWE ID: CWE-407
Description: CWE-407 Inefficient Algorithmic Complexity
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation - a small crafted input forces parse() into quadratic-time work, exhausting CPU and blocking the single-threaded Node.js event loop, resulting in denial of service (availability only).
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation - a small crafted input forces parse() into quadratic-time work, exhausting CPU and blocking the single-threaded Node.js event loop, resulting in denial of service (availability only).
Solutions

Configurations

Workarounds

Exploits

Credits

finder
bibu123456
coordinator
Kayiz-PT
remediation developer
ljharb
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
vendor-advisory
https://www.npmjs.com/package/shell-quote
product
Hyperlink: https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
Resource:
vendor-advisory
Hyperlink: https://www.npmjs.com/package/shell-quote
Resource:
product
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
exploit
Hyperlink: https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
Resource:
exploit
Details not found