Your message dated Wed, 27 May 2026 07:48:06 +0000
with message-id <[email protected]>
and subject line Bug#1137372: fixed in node-shell-quote 1.7.4+~1.7.1-1+deb12u1
has caused the Debian Bug report #1137372,
regarding node-shell-quote: CVE-2026-9277
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-shell-quote
Version: 1.8.3+~1.7.5-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-shell-quote.
CVE-2026-9277[0]:
| shell-quote's `quote()` function did not validate object-token
| inputs against the operator model used by `parse()`. The `.op` field
| was backslash-escaped character by character using `/(.)/g`, which
| in JavaScript does not match line terminators (\n, \r, U+2028,
| U+2029). A line terminator in `.op` therefore passed through
| unescaped into the output; POSIX shells treat a literal newline as a
| command separator, so any content after it would execute as a second
| command. The vulnerable code path is reachable in two ways: (1)
| direct construction of `{ op: '...\n...' }` from external input, and
| (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose
| `.op` is attacker-influenced. Both are documented API surface. Fixed
| by replacing the per-character escape with strict shape validation:
| `.op` must match the parser's control-operator allowlist; `{ op:
| 'glob', pattern }` validates `pattern` and forbids line terminators;
| `{ comment }` validates `comment` and forbids line terminators; any
| other object shape throws `TypeError`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9277
https://www.cve.org/CVERecord?id=CVE-2026-9277
[1]
https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-shell-quote
Source-Version: 1.7.4+~1.7.1-1+deb12u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-shell-quote, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-shell-quote package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 May 2026 15:45:25 +0200
Source: node-shell-quote
Binary: node-shell-quote
Architecture: source all
Version: 1.7.4+~1.7.1-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Description:
node-shell-quote - quote and parse shell commands
Closes: 1137372
Changes:
node-shell-quote (1.7.4+~1.7.1-1+deb12u1) bookworm-security; urgency=medium
.
* Team upload
* Validate object-token shapes (Closes: #1137372, CVE-2026-9277)
Checksums-Sha1:
050ffb815fe26e5c1dec39c15731477d88f2efbd 2508
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.dsc
55369613f87067236e9199939ffd774ba684d18d 5328
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.debian.tar.xz
a00f9c1bce710b2036463fcacc821727ec26aa95 14716
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_all.deb
4d4ce00eb93646603a56a9f3e9f407081442093b 16202
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
0ea0e81640e8ada80c89d414a9689eb249345f9530cfbfcf939108e7d78cadb6 2508
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.dsc
ed5de5737262d3a38a2f3f9ff2ba6de35156f8fbc35145ea4e1682d5b6342a66 5328
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.debian.tar.xz
f1956a2ffe34e476dec4cf05797c8bc22ce4a4641a63f82ddb75bf3c868526e4 14716
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_all.deb
d5212f2e5d874bc8fa5c4b8f5bcb2ed1039b3667293d3e468639df9b5e90f114 16202
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_amd64.buildinfo
Files:
48c8102ffc26279314745cdc9d51ecd5 2508 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.dsc
f6a5b5c94ddc7acd67faed879a6cfc40 5328 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb12u1.debian.tar.xz
7b8bd2cc827a52dd034abafb2b41c43b 14716 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_all.deb
a34962c5b17224f26a71a326eb043215 16202 javascript optional
node-shell-quote_1.7.4+~1.7.1-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoVpNsACgkQ9tdMp8mZ
7unwKA/8Cx9MvGwhiHApErU//aKdLqzxe5KN0pH3Kek2f8gzRNyAuVCz96S3IfSd
7ONECmvr0vFgDQhtybXzV+Nm9+3iSbInHV4Y1cEwFM+K7qVYV4GD95ma0J/Vd6d+
aZ41phRv4AllNixkbyHAnT2wJN/3b84D82oiCd6TwXGSPOwYM+V2TSX4qS+i7/91
zv8WHuG9prysnRRdHAE3YaL2dsaa0RBexQ+E0fD10sOF+wWDrR7FIDkizvkCHfH+
vvj/ANY8TV6yzH5It3tJXOkSm3i5HvpDrW3O00fe83jclwXimGyIyWFWC4sGBozg
JnuAfshDwGcNIZGmQdvhn9pTqhjDU4lkc0JBw/GAvRNY8HuOSTw0AcYd4NmxR0qJ
UoGqnC+zclna4OxH1za6Ohsf3bctpjBo7UzrsMPPbnrgC2SFepshzy+LBPu3FTJM
nz5GU3gFVoyXmlhLfxTS2yRdAnZdZLbIjC5i5rw1pWWIT4C4MOKzcc+xwGQWdcfF
/leU9++WIovsAhLdl4+BZk4r7aVLffZFwLeBSQ3fiCRbn9v1Lo1W28+gaRRL+KsJ
AxTSjtUUb88/YSa0yJswckzH+m/wKU69yMATo0XunNOIKkZwrGwgjQE8SrWTK8o+
u9zed+o/EI0q/fFLrOff9zlYtVEzz+aK/rdPUy+ydLaGl/cKyGo=
=48Fz
-----END PGP SIGNATURE-----
pgpFDQt9Ni7X8.pgp
Description: PGP signature
--- End Message ---
