High-Severity DoS Vulnerability in Node.js shell-quote Package Disclosed

CVE-2026-13311 is a high-severity Denial of Service (DoS) vulnerability affecting the Node.js package shell-quote (versions up to 1.8.4). It allows unauthenticated attackers to exploit the quadratic algorithmic complexity in the parse() function, blocking the Node.js event loop and causing service outages. The vulnerability does not involve code execution or data disclosure, impacting only availability. Affected systems include any Node.js services using shell-quote for user input parsing. The vulnerability was published on June 25, 2026, and is not currently known to be exploited in the wild, although proof-of-concept code is available. Users are advised to upgrade to shell-quote version 1.8.5 or later to mitigate the risk.

Key Points: • CVE-2026-13311 affects Node.js shell-quote versions up to 1.8.4. • The vulnerability allows remote denial of service via crafted input strings. • No active exploitation has been reported as of June 2026, but PoC code is available.