CVE-2021-42740

CVE-2021-42740 affects the shell-quote package for Node.js (pre-1.7.3). The Windows drive-letter regex was {A-z] instead of {A-Za-z], enabling injection of shell metacharacters when unescaped output is passed to a real shell via exec(). Attacks can lead to arbitrary commands execution under the d...

CVE-2016-10541

CVE-2016-10541 – shell-quote (npm) : The npm module shell-quote, version 1.6.0 and earlier, cannot correctly escape ">" and ", ;, {, } contribute to successful injection, underscoring the need for prompt update and reevaluation of input handling. Monitor for updates and apply the fixed release...

CVE-2026-13311

The CVE affects the shell-quote library prior to version 1.8.5. The parse() function accumulates tokens by using Array.prototype.concat as a reduce accumulator, causing O(n^2) time relative to token count and enabling a potential denial of service by blocking the Node.js event loop with small, at...