DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XRMC-C5CG-RV7X: GHSA-XRMC-C5CG-RV7X: Security Bypass Vulnerability in safeinstall-cli Command Parser

GHSA-XRMC-C5CG-RV7X: Security Bypass Vulnerability in safeinstall-cli Command Parser

Vulnerability ID: GHSA-XRMC-C5CG-RV7X
CVSS Score: 8.8
Published: 2026-07-10

A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.

TL;DR

Flaws in safeinstall-cli's guard-parser prior to 0.10.2 allow attackers to bypass command interception via case-insensitive launchers, leading file redirections, incorrect wrapper option arity analysis, and remote scaffolding commands, enabling arbitrary code execution on the local development environment.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-178, CWE-693
  • Attack Vector: Network
  • CVSS Severity: 8.8 (High)
  • Exploit Status: poc
  • KEV Status: Not Listed
  • Impact: Arbitrary Code Execution

Affected Systems

  • safeinstall-cli (npm package)
  • safeinstall-cli: <= 0.10.1 (Fixed in: 0.10.2)

Mitigation Strategies

  • Upgrade safeinstall-cli globally to version 0.10.2 or higher.
  • Perform regular audits of AI assistant terminal execution configurations.
  • Enforce explicit approval steps in terminal interceptor hooks for nested or wrapper shell tools.

Remediation Steps:

  1. Execute npm install -g safeinstall-cli@0.10.2 to apply the patch.
  2. Inspect configuration directories of AI tools (Claude, Cursor, Windsurf) to ensure they reference the updated global binary.
  3. Enable restrictive authorization prompts for any non-standard or capitalized commands.

References


Read the full report for GHSA-XRMC-C5CG-RV7X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)