6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62378

GHSA ID

GHSA-fhwm-pc6r-4h2f

EPSS Score

CWE

CWE-706

Published

10/13/2025

Updated

10/15/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62378

CVE-2025-62378: CommandKit has incorrect command name exposure in context object for message command aliases

Impact

A logic flaw exists in the message command handler of CommandKit that affects how the commandName property is exposed to both middleware functions and command execution contexts when handling command aliases. When a message command is invoked using an alias, the ctx.commandName value reflects the alias rather than the canonical command name. This occurs in both middleware functions and within the command’s own run function.

Although not explicitly documented, CommandKit’s examples and guidance around middleware usage implicitly convey that ctx.commandName represents the canonical command identifier. Middleware examples in the documentation consistently use ctx.commandName to reference the command being executed, and the documentation describes middleware as suitable for “logging, authentication, permission checks, or any other cross-cutting concerns.” As a result, developers reasonably expect ctx.commandName to return the canonical command name and may rely on it for security-sensitive logic.

Developers who assume ctx.commandName is canonical may introduce unintended behavior when relying on it for logic such as permission checks, rate limiting, or audit logging. This could allow unauthorized command execution or inaccurate access control decisions. Slash commands and context menu commands are not affected.

Patches

Fixed in v1.2.0-rc.12. ctx.commandName now consistently returns the actual canonical command name, regardless of the alias used to invoke it.

Workaround

If upgrading isn't immediately possible:

Use ctx.command.data.command.name for permission validations, or
Include all command aliases in your permission logic.

References

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62378

GHSA ID

GHSA-fhwm-pc6r-4h2f

EPSS Score

CWE

CWE-706

Published

10/13/2025

Updated

10/15/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commandkit	npm	>= 1.2.0-rc.1, <= 1.2.0-rc.11	1.2.0-rc.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the commandkit library, where the Context.commandName getter for message commands incorrectly returned the command alias instead of the canonical command name. This could cause security issues in applications that use this value for permission checks or other security-sensitive logic.

The analysis of the provided patch 440385a3e5de3fa3d2a76d23a807995cb29602fd reveals the exact location of the vulnerability and the fix.

Vulnerable Function Identification: The file packages/commandkit/src/app/commands/Context.ts contains the Context class with the commandName getter. The diff shows that the logic for handling message commands was changed. The old code returned the direct output of getCommand(), which was the alias. The new code calls a new function resolveMessageCommandName to get the canonical name.
Fix Analysis: A new function, resolveMessageCommandName, was added to the AppCommandHandler class in packages/commandkit/src/app/handlers/AppCommandHandler.ts. This function iterates through the loaded commands and their aliases to find the correct canonical command name for a given input, which could be an alias.

Therefore, the root cause of the vulnerability is the incorrect value being returned by Context.commandName. An attacker could exploit this by using a command's alias to bypass checks that are based on the canonical command name.

Vulnerable functions

Context.commandName

packages/commandkit/src/app/commands/Context.ts

The `commandName` getter in the `Context` class was returning the command alias instead of the canonical command name when a message command was invoked with an alias. This is because it directly returned the output of `this.config.messageCommandParser!.getCommand()`, which could be an alias. This could lead to bypass of security controls like permission checks if they relied on the command name for validation.

WAF Protection Rules

WAF Rule

### Imp**t * lo*i* *l*w *xists in t** m*ss*** *omm*n* **n*l*r o* *omm*n*Kit t**t *****ts *ow t** `*omm*n*N*m*` prop*rty is *xpos** to *ot* mi**l*w*r* *un*tions *n* *omm*n* *x**ution *ont*xts w**n **n*lin* *omm*n* *li*s*s. W**n * m*ss*** *omm*n* is i

Reasoning

T** vuln*r**ility *xists in t** `*omm*n*kit` li*r*ry, w**r* t** `*ont*xt.*omm*n*N*m*` **tt*r *or m*ss*** *omm*n*s in*orr**tly r*turn** t** *omm*n* *li*s inst*** o* t** **noni**l *omm*n* n*m*. T*is *oul* **us* s**urity issu*s in *ppli**tions t**t us*

6.1

Basic Information

Concerned about an active attack path?

CVE-2025-62378: CommandKit has incorrect command name exposure in context object for message command aliases

Impact

Patches

Workaround

References

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI