Jul 11, 2026·7 min read·2 visits
Flaws in safeinstall-cli's guard-parser prior to 0.10.2 allow attackers to bypass command interception via case-insensitive launchers, leading file redirections, incorrect wrapper option arity analysis, and remote scaffolding commands, enabling arbitrary code execution on the local development environment.
A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.
The safeinstall-cli command-line utility serves as a critical security control designed to intercept, parse, and police shell execution instructions generated by autonomous artificial intelligence (AI) agents. As AI agents operate dynamically in developers' environments, they often download external code or execute lifecycle scripts. To prevent execution of malicious dependencies, SafeInstall registers hooks such as PreToolUse for Claude Code or beforeShellExecution for Cursor. These hooks intercept commands, classify them, and enforce execution policies.
In versions up to and including 0.10.1, multiple fundamental security flaws in the guard-parser engine allowed attackers to easily craft shell commands that bypassed policy evaluation entirely. By exploiting subtle syntax deviations, unauthenticated remote attackers could execute unauthorized installation routines and lifecycle scripts on local development systems. These bypass configurations occur during initial command categorization, where the engine fails to map specific structures to package-management actions.
The vulnerability affects all environments running automated agents with safeinstall-cli configurations. The overall severity is classified as High (CVSS 8.8) because a successful bypass allows arbitrary command execution with the privileges of the active terminal session. This enables attackers to retrieve local credentials, compromise private source code, or permanently alter configuration files on development machines.
The root cause of the vulnerability resides in the implementation of the guard-parser component within the Agent Guard module. SafeInstall's logic inspects raw CLI input to identify dangerous command-line utility triggers, such as npm install, yarn add, or pnpm dlx. This detection logic, however, did not enforce input normalization, creating systematic parsing gaps.
Specifically, the parser failed to normalize process-name character casing before executing comparative logic (CWE-178). Operating systems with case-insensitive file-system configurations, such as macOS and Microsoft Windows, resolve command executions like NPM install or SUDO to their canonical binaries perfectly. The parser, on the other hand, performed strict, case-sensitive string matching against lowercase signatures like npm or sudo, allowing these variations to bypass the scanner without raising policy violations.
Additionally, the parser did not account for leading shell redirection operators or correct argument-wrapping patterns (CWE-693). When a command begins with redirection structures like < input.txt or > output.log, the sequential tokenizer aborts scanning or misplaces the command index. Furthermore, wrapper tools such as sudo or env that carry variable option arguments caused the parser to misclassify option parameters as the executable command, shifting evaluation away from the trailing, malicious payload.
To understand the parser failure, we analyze the vulnerable logic against the updated architecture in version 0.10.2. In the vulnerable implementation, command tokenization occurred without character-case normalization or stream redirection stripping. The simplified layout below illustrates how a leading redirection or case mutation slipped past the evaluation bounds.
// Vulnerable Command Token Analysis (<= v0.10.1)
function findCommandTokenIndex(tokens: string[]): number {
// Vulnerability: Fails if leading redirection (<, >) occurs
if (tokens[0] === '<' || tokens[0] === '>') {
return -1; // Parser aborts immediately
}
const executable = tokens[0];
// Vulnerability: Case-sensitive check bypassable via 'NPM' on Windows/macOS
if (SUPPORTED_MANAGERS.includes(executable)) {
return 0;
}
return -1;
}The patch introduced in version 0.10.2 completely restructured the command parser into three distinct modules: guard-flow.ts, guard-setup.ts, and guard-commands.ts. The implementation now enforces casing normalization, strips file-descriptor redirections before scanning, and processes wrapper options utilizing strict arity rules. If an ambiguous or non-standard command structure is encountered, the parser fails closed to prevent evasion.
// Patched Command Normalization Logic (v0.10.2)
function normalizeAndCleanTokens(rawTokens: string[]): string[] {
// Step 1: Strip leading redirections from the evaluation stream
let cleanTokens = [...rawTokens];
while (cleanTokens.length > 0 && (cleanTokens[0].startsWith('<') || cleanTokens[0].startsWith('>'))) {
cleanTokens.shift();
}
// Step 2: Normalize the command to lowercase for comparison
if (cleanTokens.length > 0) {
cleanTokens[0] = cleanTokens[0].toLowerCase();
}
return cleanTokens;
}Exploiting this parser vulnerability requires an attacker to inject specific commands into resources that an AI assistant, such as Claude Code or Cursor, will parse and execute. These targets typically include project configuration files, documentation instructions, issue boards, or repository files. When the assistant processes the malicious instructions, it attempts to run them locally, triggering the bypass mechanism automatically.
An attacker can construct several distinct bypass structures depending on the environment. A case-variation attack utilizes capitalized package manager calls like NPM install malicious-package. A redirection-based bypass places a stream redirection prefix, such as < /dev/null npm install malicious-package, which causes the parser to return a negative index. A wrapper-hijack attack exploits option arity using sudo -u developer npm install malicious-package, forcing the parser to identify -u or developer as the primary executable.
Once the parser fails to identify the command as a restricted package-installation action, the CLI ignores the tool use. The raw shell processes the instruction directly, allowing untrusted NPM dependencies to download. These dependencies then execute arbitrary code via preinstall or postinstall scripts, granting the attacker system access with the privileges of the active terminal session.
The impact of this vulnerability is severe because it completely invalidates the security boundary established by safeinstall-cli. The Agent Guard's entire objective is to intercept unverified, AI-driven installations to prevent malicious package execution. By bypassing this control, attackers achieve unauthenticated remote code execution on the local machine hosting the AI coding assistant.
Once execution is achieved via lifecycle scripts, an attacker can perform a wide range of unauthorized actions. This includes exfiltrating environment variables, reading local SSH keys, downloading private source code, or writing backdoors into active projects. Because development environments typically maintain direct access to cloud resources and deployment pipelines, a local compromise can quickly transition into a wider supply chain compromise.
Currently, the vulnerability has no assigned CVE identifier and is tracked exclusively under GHSA-XRMC-C5CG-RV7X. Threat intelligence databases classify the exploit maturity as proof-of-concept level, and there are no recorded instances of weaponized exploitation in the wild. However, given the rapid adoption of AI coding assistants, the vulnerability remains a highly viable target for automated supply-chain campaigns.
Remediation requires upgrading the global installation of the CLI to version 0.10.2 or later. Upgrading normalizes case configurations, integrates strict redirection parsing, processes wrapper options conservatively, and forces remote scaffolding calls (such as npm create) directly through the approval loop. System administrators can apply the update by running the global installation sequence.
To secure local installations immediately, run the following commands:
# Verify current version of safeinstall-cli
safeinstall-cli --version
# Upgrade global CLI to the patched version
npm install -g safeinstall-cli@0.10.2The fix applied in version 0.10.2 is highly comprehensive. The maintainer introduced an adversarial regression corpus within fixtures/bypass-corpus/ alongside a characterization test suite checking 158 distinct parsing configurations. Furthermore, a fuzzing harness was deployed to run up to one million commands against the parser. These aggressive test controls ensure the parser fails closed under anomalous inputs, preventing variants of these bypasses from re-emerging in subsequent releases.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
safeinstall-cli Mickdownunder | <= 0.10.1 | 0.10.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-178, CWE-693 |
| Attack Vector | Network |
| CVSS Severity | 8.8 (High) |
| Exploit Status | poc |
| KEV Status | Not Listed |
| Impact | Arbitrary Code Execution |
The software contains a control designed to protect a resource, but the control fails to achieve its purpose under certain conditions.
An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.
An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.
A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.
A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.
A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.
Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.