PT-2026-33557 · Npm · Skilleton
Publicado
2026-04-08
·
Atualizado
2026-04-08
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.Affected Versions
<0.3.1Patched Versions
>=0.3.1Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by:- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
Severity
Low to Moderate (project-maintainer assessed)
Mitigation
Upgrade to
0.3.1 or later.Workarounds
No complete workaround is recommended other than upgrading.
References
- Branch:
fix/security-code-scanning-alerts - Commits:
- fix(security): harden git arg handling and path validation
- fix(security): use while loop in normalizeRepoUrl instead of regex
- Security Policy: SECURITY.md
Credits
Detected through automated code scanning and remediated by project maintainers.
Correção
Resource Exhaustion
Argument Injection
DoS
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Skilleton