Your message dated Wed, 27 May 2026 07:47:43 +0000
with message-id <[email protected]>
and subject line Bug#1137372: fixed in node-shell-quote 1.7.4+~1.7.1-1+deb13u1
has caused the Debian Bug report #1137372,
regarding node-shell-quote: CVE-2026-9277
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-shell-quote
Version: 1.8.3+~1.7.5-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-shell-quote.
CVE-2026-9277[0]:
| shell-quote's `quote()` function did not validate object-token
| inputs against the operator model used by `parse()`. The `.op` field
| was backslash-escaped character by character using `/(.)/g`, which
| in JavaScript does not match line terminators (\n, \r, U+2028,
| U+2029). A line terminator in `.op` therefore passed through
| unescaped into the output; POSIX shells treat a literal newline as a
| command separator, so any content after it would execute as a second
| command. The vulnerable code path is reachable in two ways: (1)
| direct construction of `{ op: '...\n...' }` from external input, and
| (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose
| `.op` is attacker-influenced. Both are documented API surface. Fixed
| by replacing the per-character escape with strict shape validation:
| `.op` must match the parser's control-operator allowlist; `{ op:
| 'glob', pattern }` validates `pattern` and forbids line terminators;
| `{ comment }` validates `comment` and forbids line terminators; any
| other object shape throws `TypeError`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9277
https://www.cve.org/CVERecord?id=CVE-2026-9277
[1]
https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-shell-quote
Source-Version: 1.7.4+~1.7.1-1+deb13u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-shell-quote, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-shell-quote package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 11:56:08 +0200
Source: node-shell-quote
Binary: node-shell-quote
Architecture: source all
Version: 1.7.4+~1.7.1-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Description:
node-shell-quote - quote and parse shell commands
Closes: 1137372
Changes:
node-shell-quote (1.7.4+~1.7.1-1+deb13u1) trixie-security; urgency=medium
.
* Team upload
* Validate object-token shapes (Closes: #1137372, CVE-2026-9277)
Checksums-Sha1:
06d6437c1318825aee9802ee458eed6b70b64e7f 2508
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.dsc
2d059091214a02c29f003f591032172b2aff77e8 2241
node-shell-quote_1.7.4+~1.7.1.orig-types-shell-quote.tar.gz
526309c375cb6d9dff84f04d6bf6cb21038339db 15359
node-shell-quote_1.7.4+~1.7.1.orig.tar.gz
fc4f30284db6b94ccc078704e3a8a7c2e97e0792 5312
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.debian.tar.xz
4aba226178c57d9f1520c89a3af8023723bd212d 14708
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_all.deb
7d0bd5102f6674fb9302abb4806a220f30070bcc 15667
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
388b10223d59c4987004ca20443e1393d88e64992b8f5fa72154382eea0e99fe 2508
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.dsc
732c849a97ba0778c6bd224b09895b95f7ba0bcdeb41658dfbefbd6fcb48c42d 2241
node-shell-quote_1.7.4+~1.7.1.orig-types-shell-quote.tar.gz
c47d07f375e52ef8c5b27382a9fdc0018e1a50954a3480b13fc96c8bb0314967 15359
node-shell-quote_1.7.4+~1.7.1.orig.tar.gz
79cf60ec14fe1827d76b93d68b67aab3bed3edb6c8d9a385794be3d3568d4276 5312
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.debian.tar.xz
161242962f90a23816168b1c0f23d3e5734603cc4d9d753ce386abef8ebe4525 14708
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_all.deb
43122ea96568d6c760d399b0f64828f28ed68205c1e760edddfb3a58ff76c890 15667
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_amd64.buildinfo
Files:
878e03acb8ecff2faf131394b80405a4 2508 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.dsc
c932ae6cdd4e3244131b099713a03457 2241 javascript optional
node-shell-quote_1.7.4+~1.7.1.orig-types-shell-quote.tar.gz
7af11564f75bafc25260ad455fb2a0b9 15359 javascript optional
node-shell-quote_1.7.4+~1.7.1.orig.tar.gz
8ab9ed99edc68e760de34d2091cf2b2e 5312 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb13u1.debian.tar.xz
45d5006a6aa40fb029b79d1ea6b6eea1 14708 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_all.deb
39e54fafe6814f252fcba075d4bea32b 15667 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoRg7YACgkQ9tdMp8mZ
7unmOA/+MgQEM6GwC6g5KgVu1BuznRYDlQp6ius1a9I65idi3d1DHqgvoLRJmnXq
jF9lYu3oAqvlyRDzLnhR9bQobg1naNmH8eDHtaytRW8DYsMrukLtK1QTehIvpYRn
YowkwlHwOtwurQFjGzy8ay2KeqSqICcHIsjJ+KAo0HlMTNAnU5H0YNItrvr2j32P
liVQnDIYX7Z83l5ZrWG9phoQBJkOINI456EhJzwoT97ke9aIS0hYC6rkVvUu5eRm
TMM4JRPw7fyKmk4n690qL3wVA+8UI2yl6cCDfeUNHXde6dhlaYtLyrX6rfJxK/pt
87d8B3TxBQgrrk83aHbjAAobRxzQRMn8ysS2liiklcHBl+dOS0IGUaI76x7yf7Iy
I9wjMhvCVWoqljcZ3D+qoF0qLK8eDR/eqqpKY3yPjoWAhj9yAYRzEaKvF05KkLux
IPSa5Ga7Dt4xLGnE+4igZWfYzOQmuFUvXTSTgLt1gQOdgHcsTMscnZysQvwXEjK3
xQGByJw/y/vpd/4AJvN5gh577biiqkJ2rtsm+Sf68klyyqoxVVg29iQSlBVuo+Qf
Q/jgvvBFpPvj0nEEjeNkHMbVUvkoAv5YgtAN1XPlr5wmnyzgTziaCPtTA86rLTBv
LPGFKKfI2yWoAso5OoKrcXQ8Q+HFDUO7AbB+Tzn2lol6n+ujUIs=
=vptJ
-----END PGP SIGNATURE-----
pgp4LPE9zQKJB.pgp
Description: PGP signature
--- End Message ---
