DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9HC2-HJX8-Q6PV: GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import

GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import

Vulnerability ID: GHSA-9HC2-HJX8-Q6PV
CVSS Score: 9.6
Published: 2026-07-14

A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.

TL;DR

Unauthenticated remote code execution occurs when TidGi Desktop automatically registers and runs malicious startup modules found in imported TiddlyWiki repositories.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.6
  • Exploit Status: PoC
  • KEV Status: Not Listed
  • Impact: Remote Code Execution (RCE)

Affected Systems

  • TidGi Desktop
  • TidGi Desktop: <= 0.13.0 (Fixed in: null)

Mitigation Strategies

  • Verify the safety of third-party repositories before importing them into TidGi Desktop
  • Restrict allowed module-type metadata fields on imported user tiddlers
  • Evaluate user-imported JavaScript modules within a restricted virtual machine sandbox

Remediation Steps:

  1. Manually review local .tid files for any unexpected 'module-type: startup' fields before loading folders
  2. Implement a security boundary check in 'defineTiddlerModules' to filter system-critical modules
  3. Configure virtual machine environments to evaluate third-party scripts without raw Node.js API access

References


Read the full report for GHSA-9HC2-HJX8-Q6PV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)