Necboy

**Name of the Vulnerable Software and Affected Versions** DSAI-Cline (affected versions not specified) **Description** The command auto-approval module in DSAI-Cline has a critical OS command injection issue that bypasses its whitelist security. The system uses string-based parsing for command validation, blocking operators like ;, &&, ||, |, and command substitution, but it does not handle newline characters within the input. An attacker can embed a newline character between a permitted command and malicious code (for example, `git log malicious command`). DSAI-Cline incorrectly identifies this as a safe operation and automatically approves it. The PowerShell interpreter then executes both commands sequentially, leading to Remote Code Execution without user interaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.