shell-quote CVE-2026-9277: newline slips past regex

The npm package shell-quote has a command injection vulnerability in versions up to and including 1.8.3. Fix is in 1.8.4, released May 22. The package gets 52 million downloads per week.

CVE-2026-9277 (CVSS 8.1, High)

The bug

The quote() function handles object tokens with an .op field. To escape the operator value before it reaches a shell, it runs /(.)/g -- character-by-character replacement.

That regex does not match line terminators. In JavaScript, /(.)/g uses the dot metacharacter without the s (dotAll) flag, so \n, \r, 
, and 
 pass through unescaped.

In a POSIX shell, a literal newline is a command separator. So an attacker who controls the .op value can inject a newline and have everything after it execute as a separate command.

The path to exploitation:

1. Your code calls parse(cmd, envFn) and envFn returns an object with an .op field, or you construct object tokens and pass them to quote() directly.
2. That output gets passed to a shell (via child_process.exec, spawn with shell: true, or similar).
3. An attacker controls the input that becomes .op.

If all three conditions are true, the attacker can run arbitrary commands with the privileges of your process.

The fix

Version 1.8.4 replaces the regex-based escaping with a strict allowlist of valid operator values. If the value is not in the allowlist, it does not pass through. That is the correct fix: validating what is allowed is safer than trying to escape everything that is not.

Scope

shell-quote is a transitive dependency in a large number of Node.js build tools, CI utilities, and shell-wrapping packages. Many projects pull it in without knowing it. Check your dependency tree:

npm ls shell-quote
# or
npx installed-check shell-quote

If you see any version below 1.8.4, update.

npm update shell-quote

If the vulnerable version is pinned by a dependency you do not control, open an issue upstream or use an overrides entry in package.json:

{
  "overrides": {
    "shell-quote": ">=1.8.4"
  }
}

The vulnerability was reported on May 9, 2026 and fixed May 22. Thirteen days from report to release.

Supply chain angle

The risk here is not primarily from direct users of shell-quote -- it is from the packages that pull it in as a dependency, and the users of those packages who do not know it is there. That pattern appeared in the shai-hulud npm supply chain incident earlier this year. The difference is that CVE-2026-9277 is in a widely-used legitimate package, not a compromised one. The blast radius is still wide.

Sources: oss-security advisory; shell-quote on npm