SCA: security update for shell-quote (GHSA-w7jw-789q-3m8p)

critical Tenable Cloud Security Plugin ID 442842

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- shell-quote's `quote()` function did not validate object-token inputs against the operator model used by
`parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in
JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore
passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so
any content after it would execute as a second command. The vulnerable code path is reachable in two ways:
(1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when
`envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed
by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-
operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment
}` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
(CVE-2026-9277)

Solution

Update the shell-quote library and its related packages to version 1.8.4 or later.

See Also

https://github.com/advisories/GHSA-w7jw-789q-3m8p

Plugin Details

Severity: Critical

ID: 442842

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/9/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-9277

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 8.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/9/2026

Vulnerability Publication Date: 5/22/2026

Reference Information

CVE: CVE-2026-9277