CVE-2025-62378

Name of the Vulnerable Software and Affected Versions CommandKit versions 1.2.0-rc.1 through 1.2.0-rc.11

Description CommandKit is a discord.js meta-framework used for building Discord bots. A flaw in the message command handler affects how the commandName property is exposed during command alias usage. When a command is invoked using an alias, the ctx.commandName value reflects the alias instead of the actual command name in both middleware functions and the command’s execution context. This discrepancy can lead to unintended behavior in logic relying on the canonical command name, such as permission checks or rate limiting, potentially allowing unauthorized command execution or inaccurate access control. Slash commands and context menu commands are not affected.

Recommendations Versions prior to 1.2.0-rc.12 should be updated to version 1.2.0-rc.12 or later to ensure ctx.commandName consistently returns the canonical command name.