CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-xrmc-c5cg-rv7x: SafeInstall agent guard shell parsing can miss raw package execution

highCVSS 8.8
Summary SafeInstall CLI through 0.10.1 can fail to recognize some package-manager and registry-runner commands in its agent guard. Case-variant launcher names, leading file-descriptor redirections, and supported shell wrappers with options can cause a raw install command to receive no guard decision. Remote project scaffolding through package-manager create/init commands can also avoid the approval decision used for other registry runners. Impact When the SafeInstall guard is installed for a coding agent, a crafted shell command can bypass the intended deny or ask response. The coding agent may then run a package installation or registry-provided scaffolding command without SafeInstall policy evaluation and without SafeInstall enforcing disabled lifecycle scripts. Exploitation requires a coding agent to act on attacker-influenced instructions and issue the crafted shell command. A successful malicious package or runner can execute with the permissions of the developer account, affecting the confidentiality, integrity, and availability of local source code, credentials, and development resources. The vulnerability is limited to guard interception. Commands already routed through the SafeInstall CLI continue to receive normal policy evaluation. Affected versions - safeinstall-cli <= 0.10.1 Patched version - safeinstall-cli 0.10.2 Fix Version 0.10.2: - normalizes package-manager and wrapper launcher names for detection and rewriting; - parses leading redirections before classifying the command; - handles supported wrapper option arity conservatively and fails closed on ambiguous embedded command syntax; - routes remote create/init scaffolding through the registry-runner approval path; - preserves SafeInstall routing for path-qualified package-manager invocations. The patch includes a permanent regression corpus, table-driven parser characterization, an independent reference detector, and deterministic fuzz invariants. The integrated release candidate passe

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.8
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-xrmc-c5cg-rv7x

More from GitHub Security Advisories