Anmol Vats

**Name of the Vulnerable Software and Affected Versions** @pensar/apex versions prior to 0.0.59 **Description** OS command injection is possible via the smart enumerate tool. The `createSmartEnumerateTool()` function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the `extensions` array and `url` parameter into a string passed to Node.js child process.exec(). Since exec() spawns a shell, shell metacharacters in these values are interpreted by the host shell, allowing arbitrary OS command execution with the privileges of the running process. **Recommendations** Update @pensar/apex to version 0.0.59 or later. As a temporary workaround, restrict access to the `createSmartEnumerateTool()` function to minimize the risk of exploitation.