Akshat Sinha

**Name of the Vulnerable Software and Affected Versions** shell-quote versions prior to 1.8.4 **Description** The `quote()` function fails to validate object-token inputs against the operator model used by `parse()`. Specifically, the `.op` field is escaped using a regular expression that does not match line terminators such as ` `, `r`, `U+2028`, and `U+2029`. This allows line terminators to pass unescaped into the output. Since POSIX shells treat literal newlines as command separators, any content following the newline is executed as a separate command, leading to command injection. This issue is reachable through the direct construction of `{ op: '... ...' }` from external input or via `parse(cmd, envFn)` when `envFn` returns object tokens with an attacker-influenced `.op` field. **Recommendations** Update to version 1.8.4 or later. As a temporary workaround, restrict external input from influencing the `.op` field in object tokens passed to the `quote()` function or returned by `envFn` in the `parse()` function.