Severity
9.2
Critical severity
Details
- CVSS score
- 9.2
- CVSS vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- CWE ID
Overview
About vulnerability
shell-quote’squote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser’s control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.
Details
- Affected product:
- Next.js , Node.js , jpm , shell-quote
- Affected packages:
- next @ 11.1.3 (+10 more)
quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser’s control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.