Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25046

CVE-2026-25046: Kimi Agent SDK RCE Vulnerability

CVE-2026-25046 is a remote code execution flaw in Kimi Agent SDK's development scripts that allows arbitrary command execution via shell metacharacters. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-25046 Overview

CVE-2026-25046 is a Command Injection vulnerability (CWE-77) affecting the Kimi Agent SDK, a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js development scripts pass filenames to execSync() as shell command strings, allowing filenames containing shell metacharacters like $(cmd) to execute arbitrary commands.

Critical Impact

This vulnerability allows arbitrary command execution through malicious filenames in development scripts, though it only affects developers working with the repository source code - end users of the published VSCode extension are not affected.

Affected Products

  • Kimi Agent SDK versions prior to 0.1.6
  • Development environments using vsix-publish.js script
  • Development environments using ovsx-publish.js script

Discovery Timeline

  • 2026-01-29 - CVE CVE-2026-25046 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-25046

Vulnerability Analysis

This Command Injection vulnerability exists in the Kimi Agent SDK's development publishing scripts. The scripts vsix-publish.js and ovsx-publish.js construct shell commands by directly concatenating user-controllable filenames into command strings passed to Node.js's execSync() function. When .vsix files with specially crafted names containing shell metacharacters are present in the project directory, the shell interpreter processes these metacharacters during command execution.

The vulnerability requires local access, high-privilege user interaction, and specific conditions to exploit. It's important to note that this is a development-only vulnerability—the published VSCode extension does not include these vulnerable scripts, meaning end users installing the extension through normal channels are unaffected.

Root Cause

The root cause is improper neutralization of special elements used in command construction. The development scripts use execSync() with string-based command arguments rather than the safer execFileSync() with array-based arguments. This allows shell metacharacter interpretation when processing filenames, enabling command injection through crafted .vsix file names.

Attack Vector

The attack vector is local, requiring an attacker to place a maliciously named .vsix file in the project directory before a developer runs the publish scripts. The attacker would need to craft a filename containing shell metacharacters such as $(malicious_command) or backtick-enclosed commands. When the publish script processes this file, the embedded command would execute with the privileges of the developer running the script.

For example, a file named extension-$(whoami).vsix would cause the whoami command to be executed and its output interpolated into the command string when processed by the vulnerable scripts.

Detection Methods for CVE-2026-25046

Indicators of Compromise

  • Presence of .vsix files with unusual characters or command syntax in filenames (e.g., $(), backticks, semicolons)
  • Unexpected process spawning during execution of vsix-publish.js or ovsx-publish.js
  • Anomalous command execution patterns originating from Node.js processes running publish scripts

Detection Strategies

  • Monitor file creation events in development directories for .vsix files containing shell metacharacters in filenames
  • Implement file name validation in CI/CD pipelines before running publish scripts
  • Use process monitoring to detect unexpected child processes spawned during build operations

Monitoring Recommendations

  • Enable audit logging for command execution in development environments
  • Implement file integrity monitoring for project directories containing build artifacts
  • Review Node.js process trees during publish operations for anomalous subprocess creation

How to Mitigate CVE-2026-25046

Immediate Actions Required

  • Upgrade Kimi Agent SDK to version 0.1.6 or later
  • Audit all .vsix files in project directories for suspicious filenames before running publish scripts
  • Implement filename validation to reject files containing shell metacharacters

Patch Information

The vulnerability is fixed in Kimi Agent SDK version 0.1.6. The fix replaces the unsafe execSync() function with execFileSync() using array arguments, which prevents shell metacharacter interpretation. For more details, refer to the GitHub Security Advisory.

Workarounds

  • Ensure all .vsix files in the project directory have safe filenames (alphanumeric characters, hyphens, and underscores only) before running publish scripts
  • Implement a pre-publish validation script that checks for dangerous characters in filenames
  • Consider isolating publish script execution in a sandboxed environment with limited privileges
bash
# Configuration example
# Pre-publish filename validation script
# Run before executing vsix-publish.js or ovsx-publish.js

# Check for dangerous characters in .vsix filenames
for file in *.vsix; do
  if [[ "$file" =~ [\$\`\;\|\&\(\)] ]]; then
    echo "WARNING: Potentially malicious filename detected: $file"
    exit 1
  fi
done
echo "All .vsix filenames are safe"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.