Your message dated Sat, 23 May 2026 09:48:35 +0000
with message-id <[email protected]>
and subject line Bug#1137372: fixed in node-shell-quote 1.8.4+~1.7.5-1
has caused the Debian Bug report #1137372,
regarding node-shell-quote: CVE-2026-9277
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-shell-quote
Version: 1.8.3+~1.7.5-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-shell-quote.
CVE-2026-9277[0]:
| shell-quote's `quote()` function did not validate object-token
| inputs against the operator model used by `parse()`. The `.op` field
| was backslash-escaped character by character using `/(.)/g`, which
| in JavaScript does not match line terminators (\n, \r, U+2028,
| U+2029). A line terminator in `.op` therefore passed through
| unescaped into the output; POSIX shells treat a literal newline as a
| command separator, so any content after it would execute as a second
| command. The vulnerable code path is reachable in two ways: (1)
| direct construction of `{ op: '...\n...' }` from external input, and
| (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose
| `.op` is attacker-influenced. Both are documented API surface. Fixed
| by replacing the per-character escape with strict shape validation:
| `.op` must match the parser's control-operator allowlist; `{ op:
| 'glob', pattern }` validates `pattern` and forbids line terminators;
| `{ comment }` validates `comment` and forbids line terminators; any
| other object shape throws `TypeError`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9277
https://www.cve.org/CVERecord?id=CVE-2026-9277
[1]
https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-shell-quote
Source-Version: 1.8.4+~1.7.5-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-shell-quote, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-shell-quote package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 11:37:35 +0200
Source: node-shell-quote
Architecture: source
Version: 1.8.4+~1.7.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1137372
Changes:
node-shell-quote (1.8.4+~1.7.5-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* New upstream version (Closes: #1137372, CVE-2026-9277)
Checksums-Sha1:
af13c1548c8bf38efcc7db21aa781c140c0d7374 2476
node-shell-quote_1.8.4+~1.7.5-1.dsc
6db4704742d307cd6d604e124e3ad6cd5ed943f3 2193
node-shell-quote_1.8.4+~1.7.5.orig-types-shell-quote.tar.gz
c0b0bf87ec5b5d095ad0f7f034e2f263eccb70de 19175
node-shell-quote_1.8.4+~1.7.5.orig.tar.gz
19e62ea7facac66e67cf98c81116246ee242975e 3192
node-shell-quote_1.8.4+~1.7.5-1.debian.tar.xz
Checksums-Sha256:
6af35d4108236d9ad6782e063892125d77d165dee456abe14ecb22bf986bdf9c 2476
node-shell-quote_1.8.4+~1.7.5-1.dsc
f9ebe399f6d1c6f23d772fc113a6f5600102fbe707dd6e7ac87bd5dc6a135ff2 2193
node-shell-quote_1.8.4+~1.7.5.orig-types-shell-quote.tar.gz
41ae77fa49cee870f900fe7eed34752c865ba9b33e2de52987c78d636f728ae6 19175
node-shell-quote_1.8.4+~1.7.5.orig.tar.gz
ff80dd205885b484b8697f08f8da4fa68f1e4f719788b5c1f8b239ebbad43b8d 3192
node-shell-quote_1.8.4+~1.7.5-1.debian.tar.xz
Files:
39355e53864615803b37be39c19a745f 2476 javascript optional
node-shell-quote_1.8.4+~1.7.5-1.dsc
1a248d02401f7738169044d9bf08e636 2193 javascript optional
node-shell-quote_1.8.4+~1.7.5.orig-types-shell-quote.tar.gz
31140b4110fc483aa42b7ff630c793c0 19175 javascript optional
node-shell-quote_1.8.4+~1.7.5.orig.tar.gz
f1fbf805f076568c0d74d822ad4dabbf 3192 javascript optional
node-shell-quote_1.8.4+~1.7.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoRdagACgkQ9tdMp8mZ
7unSug/9EZJDvFmQyx73RlriyYd038it+rbbpvojZ8sXtPPUVePuwiS+j979k8qE
X3ci/lybHVIiVPwgfzzUsihSCXy2gcf71Hg2enAAByKdB8iJU/+PQ993w6UBEFZK
nXzAeEHRCeq1+tqcfffkF+K4j7LXjlj5qWLP+pbddDc/RTU+3Zr4hIG1Z63JUlBl
mbNoTtKK+QX8REZAOBohEnIVKKR9TSJotbJQ4MFN9RbUfMsYnt3QZk5Fa8nAzirN
pL8F1WA5Ku6m9saLK/0WkjRsMLn7o/6vBC3FmJYPNohG7ruGOGVSucqbrwe0JYCq
QTmcq8MvmTDOkckE54kmBEFQOV/8ZbvTWX6H2MkHNBQ8AaTkULInUI0b5hVPc+yZ
RlVrEy3uEtoVlb/C/XkhmXHt51e5H/jMViOLXGN7pOolTsN3c6mOyPOXHPb4BDsn
cypuPAFNTR6bkIjbpnAkecDZz0ntAoJHl5p0qt/hGGQczZDNBlb6BOnR6ENqE5lJ
/so0HmFg+RwT78JQUAApat81E96qHO0HjT0YwAVS7bST4nI6JG/ikhHQVP/YkBqj
tEUqe//5J6sOnzbGQD4au9ZYiqqibkbpt+VRaNdLIVpIUhsKq/nAibGKgUl7EwMj
zyqo0xbJ1JD7gpz+OOYc2KtvAc+NkPMs1NXspN3A4VZGFYl8/3Q=
=qwy9
-----END PGP SIGNATURE-----
pgpbGR155UQQt.pgp
Description: PGP signature
--- End Message ---
