GHSA-xrmc-c5cg-rv7xHigh· 8.8▾ TwilightSafeInstall agent guard shell parsing can miss raw package execution
▾ Twilight zone — High severity, or a signal on a lesser flaw
impact 48.4 · likelihood 0 · exploitation 0
Need a working PoC? Pro members can cast a request and our team develops one — it lands right here.
SafeInstall CLI through 0.10.1 can fail to recognize some package-manager and registry-runner commands in its agent guard. Case-variant launcher names, leading file-descriptor redirections, and supported shell wrappers with options can cause a raw install command to receive no guard decision. Remote project scaffolding through package-manager create/init commands can also avoid the approval decision used for other registry runners.
When the SafeInstall guard is installed for a coding agent, a crafted shell command can bypass the intended deny or ask response. The coding agent may then run a package installation or registry-provided scaffolding command without SafeInstall policy evaluation and without SafeInstall enforcing disabled lifecycle scripts.
Exploitation requires a coding agent to act on attacker-influenced instructions and issue the crafted shell command. A successful malicious package or runner can execute with the permissions of the developer account, affecting the confidentiality, integrity, and availability of local source code, credentials, and development resources.
The vulnerability is limited to guard interception. Commands already routed through the SafeInstall CLI continue to receive normal policy evaluation.
Version 0.10.2:
The patch includes a permanent regression corpus, table-driven parser characterization, an independent reference detector, and deterministic fuzz invariants. The integrated release candidate passed 626 tests, package smoke validation, and a one-million-command fuzz campaign with zero invariant violations.
Upgrade to safeinstall-cli 0.10.2 or later.
Until an upgrade is possible, manually review every coding-agent shell command and prevent the agent from invoking package managers or registry runners directly. Running an affected guard does not make raw package-manager execution safe.
Discovered, reproduced, and remediated by the SafeInstall maintainer during adversarial parser testing.
safeinstall-cli < 0.10.2Upgrade to a patched release:
safeinstall-cli 0.10.2Connected by shared product, vendor, weakness, or advisory.
CVE-2025-69264High· 8.8pnpm is a package manager
CVE-2026-40453Critical· 9.9The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'
CVE-2026-42890Mediumactual Allows Electron to Run As Node
CVE-2026-48033High@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name
CVE-2026-48037Medium@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
CVE-2026-49459Medium· 6.1DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM