-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| commandkit | npm | >= 1.2.0-rc.1, <= 1.2.0-rc.11 | 1.2.0-rc.12 |
Miggo AIRoot Cause AnalysisThe vulnerability exists in the commandkit library, where the Context.commandName getter for message commands incorrectly returned the command alias instead of the canonical command name. This could cause security issues in applications that use this value for permission checks or other security-sensitive logic.
The analysis of the provided patch 440385a3e5de3fa3d2a76d23a807995cb29602fd reveals the exact location of the vulnerability and the fix.
Vulnerable Function Identification: The file packages/commandkit/src/app/commands/Context.ts contains the Context class with the commandName getter. The diff shows that the logic for handling message commands was changed. The old code returned the direct output of getCommand(), which was the alias. The new code calls a new function resolveMessageCommandName to get the canonical name.
Fix Analysis: A new function, resolveMessageCommandName, was added to the AppCommandHandler class in packages/commandkit/src/app/handlers/AppCommandHandler.ts. This function iterates through the loaded commands and their aliases to find the correct canonical command name for a given input, which could be an alias.
Therefore, the root cause of the vulnerability is the incorrect value being returned by Context.commandName. An attacker could exploit this by using a command's alias to bypass checks that are based on the canonical command name.
Context.commandNamepackages/commandkit/src/app/commands/Context.ts
Ongoing coverage of React2Shell