Miggo Logo
Miggo Vulnerability Database
GHSA-fhwm-pc6r-4h2f

GHSA-fhwm-pc6r-4h2f: CommandKit has incorrect command name exposure in context object for message command aliases

6.1

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-fhwm-pc6r-4h2f
EPSS Score
-
CWE
CWE-706
Published
10/13/2025
Updated
10/13/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
commandkitnpm>= 1.2.0-rc.1, <= 1.2.0-rc.111.2.0-rc.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists because the commandName property on the context object (ctx) did not resolve command aliases to their canonical names for message-based commands. This could cause security controls, such as permission checks in middleware, to fail if they relied on the canonical command name. The analysis of the patch 440385a3e5de3fa3d2a76d23a807995cb29602fd confirms this. The change in packages/commandkit/src/app/commands/Context.ts modifies the commandName getter to correctly resolve the command name. Previously, it returned the output of getCommand(), which could be an alias. The fix introduces a call to resolveMessageCommandName to ensure the canonical name is always returned. Therefore, the Context.commandName getter is the vulnerable function, as it was the source of the incorrect command name that could be used to bypass security checks.

Vulnerable functions

Context.commandName
packages/commandkit/src/app/commands/Context.ts
The vulnerability lies in the `commandName` getter of the `Context` class. When a message command was invoked using an alias, this function would incorrectly return the alias instead of the canonical command name. The original implementation returned `this.config.messageCommandParser!.getCommand()`, which provided the raw command input (the alias). The patch fixes this by taking that value and resolving it to the actual command name using the new `resolveMessageCommandName` method.

WAF Protection Rules

WAF Rule

### Imp**t * lo*i* *l*w *xists in t** m*ss*** *omm*n* **n*l*r o* *omm*n*Kit t**t *****ts *ow t** `*omm*n*N*m*` prop*rty is *xpos** to *ot* mi**l*w*r* *un*tions *n* *omm*n* *x**ution *ont*xts w**n **n*lin* *omm*n* *li*s*s. W**n * m*ss*** *omm*n* is in

Reasoning

T** vuln*r**ility *xists ****us* t** `*omm*n*N*m*` prop*rty on t** *ont*xt o*j**t (`*tx`) *i* not r*solv* *omm*n* *li*s*s to t**ir **noni**l n*m*s *or m*ss***-**s** *omm*n*s. T*is *oul* **us* s**urity *ontrols, su** *s p*rmission ****ks in mi**l*w*r*