CVE-2026-25046 Overview
CVE-2026-25046 is a Command Injection vulnerability (CWE-77) affecting the Kimi Agent SDK, a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js development scripts pass filenames to execSync() as shell command strings, allowing filenames containing shell metacharacters like $(cmd) to execute arbitrary commands.
Critical Impact
This vulnerability allows arbitrary command execution through malicious filenames in development scripts, though it only affects developers working with the repository source code - end users of the published VSCode extension are not affected.
Affected Products
- Kimi Agent SDK versions prior to 0.1.6
- Development environments using vsix-publish.js script
- Development environments using ovsx-publish.js script
Discovery Timeline
- 2026-01-29 - CVE CVE-2026-25046 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-25046
Vulnerability Analysis
This Command Injection vulnerability exists in the Kimi Agent SDK's development publishing scripts. The scripts vsix-publish.js and ovsx-publish.js construct shell commands by directly concatenating user-controllable filenames into command strings passed to Node.js's execSync() function. When .vsix files with specially crafted names containing shell metacharacters are present in the project directory, the shell interpreter processes these metacharacters during command execution.
The vulnerability requires local access, high-privilege user interaction, and specific conditions to exploit. It's important to note that this is a development-only vulnerability—the published VSCode extension does not include these vulnerable scripts, meaning end users installing the extension through normal channels are unaffected.
Root Cause
The root cause is improper neutralization of special elements used in command construction. The development scripts use execSync() with string-based command arguments rather than the safer execFileSync() with array-based arguments. This allows shell metacharacter interpretation when processing filenames, enabling command injection through crafted .vsix file names.
Attack Vector
The attack vector is local, requiring an attacker to place a maliciously named .vsix file in the project directory before a developer runs the publish scripts. The attacker would need to craft a filename containing shell metacharacters such as $(malicious_command) or backtick-enclosed commands. When the publish script processes this file, the embedded command would execute with the privileges of the developer running the script.
For example, a file named extension-$(whoami).vsix would cause the whoami command to be executed and its output interpolated into the command string when processed by the vulnerable scripts.
Detection Methods for CVE-2026-25046
Indicators of Compromise
- Presence of .vsix files with unusual characters or command syntax in filenames (e.g., $(), backticks, semicolons)
- Unexpected process spawning during execution of vsix-publish.js or ovsx-publish.js
- Anomalous command execution patterns originating from Node.js processes running publish scripts
Detection Strategies
- Monitor file creation events in development directories for .vsix files containing shell metacharacters in filenames
- Implement file name validation in CI/CD pipelines before running publish scripts
- Use process monitoring to detect unexpected child processes spawned during build operations
Monitoring Recommendations
- Enable audit logging for command execution in development environments
- Implement file integrity monitoring for project directories containing build artifacts
- Review Node.js process trees during publish operations for anomalous subprocess creation
How to Mitigate CVE-2026-25046
Immediate Actions Required
- Upgrade Kimi Agent SDK to version 0.1.6 or later
- Audit all .vsix files in project directories for suspicious filenames before running publish scripts
- Implement filename validation to reject files containing shell metacharacters
Patch Information
The vulnerability is fixed in Kimi Agent SDK version 0.1.6. The fix replaces the unsafe execSync() function with execFileSync() using array arguments, which prevents shell metacharacter interpretation. For more details, refer to the GitHub Security Advisory.
Workarounds
- Ensure all .vsix files in the project directory have safe filenames (alphanumeric characters, hyphens, and underscores only) before running publish scripts
- Implement a pre-publish validation script that checks for dangerous characters in filenames
- Consider isolating publish script execution in a sandboxed environment with limited privileges
# Configuration example
# Pre-publish filename validation script
# Run before executing vsix-publish.js or ovsx-publish.js
# Check for dangerous characters in .vsix filenames
for file in *.vsix; do
if [[ "$file" =~ [\$\`\;\|\&\(\)] ]]; then
echo "WARNING: Potentially malicious filename detected: $file"
exit 1
fi
done
echo "All .vsix filenames are safe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
