PT-2026-33557 · Npm · Skilleton
Published
2026-04-08
·
Updated
2026-04-08
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.Affected Versions
<0.3.1Patched Versions
>=0.3.1Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by:- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
Severity
Low to Moderate (project-maintainer assessed)
Mitigation
Upgrade to
0.3.1 or later.Workarounds
No complete workaround is recommended other than upgrading.
References
- Branch:
fix/security-code-scanning-alerts - Commits:
- fix(security): harden git arg handling and path validation
- fix(security): use while loop in normalizeRepoUrl instead of regex
- Security Policy: SECURITY.md
Credits
Detected through automated code scanning and remediated by project maintainers.
Fix
Resource Exhaustion
Argument Injection
DoS
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Skilleton