GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import
Vulnerability ID: GHSA-9HC2-HJX8-Q6PV
CVSS Score: 9.6
Published: 2026-07-14
A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.
TL;DR
Unauthenticated remote code execution occurs when TidGi Desktop automatically registers and runs malicious startup modules found in imported TiddlyWiki repositories.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94
- Attack Vector: Network (AV:N)
- CVSS Score: 9.6
- Exploit Status: PoC
- KEV Status: Not Listed
- Impact: Remote Code Execution (RCE)
Affected Systems
- TidGi Desktop
-
TidGi Desktop: <= 0.13.0 (Fixed in:
null)
Mitigation Strategies
- Verify the safety of third-party repositories before importing them into TidGi Desktop
- Restrict allowed module-type metadata fields on imported user tiddlers
- Evaluate user-imported JavaScript modules within a restricted virtual machine sandbox
Remediation Steps:
- Manually review local .tid files for any unexpected 'module-type: startup' fields before loading folders
- Implement a security boundary check in 'defineTiddlerModules' to filter system-critical modules
- Configure virtual machine environments to evaluate third-party scripts without raw Node.js API access
References
Read the full report for GHSA-9HC2-HJX8-Q6PV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)