shell-quotes quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (n, r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: ...n... } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parsers control-operator allowlist; { op: glob, pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cryostat 4 on RHEL 9 | RedHat | cryostat/cryostat-openshift-console-plugin-rhel9:4.2.0-10 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-rhel9:1782841925 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9:1782839996 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1781187342 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1782761244 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-ui-rhel9:1782166952 | * |
| Red Hat OpenShift Container Platform 4.21 | RedHat | openshift4/ose-console-rhel9:1782308675 | * |
| Red Hat OpenShift Container Platform 4.22 | RedHat | openshift4/ose-console-rhel9:1782224390 | * |
| Red Hat OpenShift Service Mesh 2.6 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1780907585 | * |
| Red Hat OpenShift Service Mesh 2.6 | RedHat | openshift-service-mesh/kiali-rhel8:1780916536 | * |
| Red Hat OpenShift Service Mesh 3.0 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1780470245 | * |
| Red Hat OpenShift Service Mesh 3.0 | RedHat | openshift-service-mesh/kiali-rhel9:1780916345 | * |
| Red Hat OpenShift Service Mesh 3.1 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1780470706 | * |
| Red Hat OpenShift Service Mesh 3.1 | RedHat | openshift-service-mesh/kiali-rhel9:1780916478 | * |
| Red Hat OpenShift Service Mesh 3.2 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1780470003 | * |
| Red Hat OpenShift Service Mesh 3.2 | RedHat | openshift-service-mesh/kiali-rhel9:1780916392 | * |
| Red Hat OpenShift Service Mesh 3.3 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1780997382 | * |
| Red Hat OpenShift Service Mesh 3.3 | RedHat | openshift-service-mesh/kiali-rhel9:1780997438 | * |
| Red Hat Quay 3.10 | RedHat | quay/quay-rhel8:1782487717 | * |
| Red Hat Quay 3.12 | RedHat | quay/quay-rhel8:1781937357 | * |
| Red Hat Quay 3.9 | RedHat | quay/quay-rhel8:1781878070 | * |
| Red Hat Satellite 6.18 | RedHat | satellite/iop-vulnerability-frontend-rhel9:1781032495 | * |
| Node-shell-quote | Ubuntu | devel | * |
| Node-shell-quote | Ubuntu | esm-apps/bionic | * |
| Node-shell-quote | Ubuntu | esm-apps/jammy | * |
| Node-shell-quote | Ubuntu | esm-apps/noble | * |
| Node-shell-quote | Ubuntu | esm-apps/resolute | * |
| Node-shell-quote | Ubuntu | jammy | * |
| Node-shell-quote | Ubuntu | noble | * |
| Node-shell-quote | Ubuntu | questing | * |
| Node-shell-quote | Ubuntu | resolute | * |
| Node-shell-quote | Ubuntu | upstream | * |
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.