GHSA-v3f4-w7r7-v3hm: Remote Command Execution via Origin Validation Error in Uni-CLI Legacy HTTP Transport
Vulnerability ID: GHSA-V3F4-W7R7-V3HM
CVSS Score: 8.6
Published: 2026-06-19
An origin validation error and cross-site request forgery vulnerability in @zenalexa/unicli prior to version 0.225.2 allows cross-origin web applications to execute arbitrary tools on a user's local machine via the legacy stateless HTTP transport.
TL;DR
A vulnerability in @zenalexa/unicli allows malicious websites to execute arbitrary local system commands on a developer's machine by sending unauthenticated cross-origin requests to the local daemon.
Technical Details
- CWE ID: CWE-346, CWE-352
- Attack Vector: Network / Cross-Origin HTTP Request
- CVSS v4.0 Score: 8.6 (High)
- EPSS Score: N/A
- Exploit Status: None / Proof of Concept Not Weaponized
- Impact: Arbitrary Tool / Command Execution on Host
- KEV Status: Not Listed
Affected Systems
- @zenalexa/unicli
-
@zenalexa/unicli: < 0.225.2 (Fixed in:
0.225.2)
Mitigation Strategies
- Upgrade @zenalexa/unicli to version 0.225.2 or higher.
- Disable the legacy stateless HTTP transport mechanism.
- Utilize the default stdio transport or migrate to the secured Streamable HTTP transport.
- Configure local firewall rules to monitor and restrict access to loopback ports.
Remediation Steps:
- Run
npm update @zenalexa/unicliin the project directory to install the patched version. - Verify the installed version is 0.225.2 or later by checking package.json or running
unicli --version. - Update application configurations to replace any instances of the legacy HTTP transport with stdio or Streamable HTTP.
- Restart the Uni-CLI daemon to apply the secure configuration.
References
Read the full report for GHSA-V3F4-W7R7-V3HM on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)