shell-quote is a package used to quote and parse shell commands.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse() finalizes the token list with Array.prototype.concat inside a reduce, copying the entire growing array on every iteration for O(n²) behavior. An attacker can block the single-threaded Node.js event loop and sustain a denial of service by passing a large space-separated string to any code path that calls parse(), with roughly 128 KB stalling the loop for about 15 seconds and 256 KB for about 57 seconds.