GHSA-jfgx-wxx8-mp94

# Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.

## Info

The vulnerable code path affected temporary extension package sources loaded with `--extension` or `-e`, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under `os.tmpdir()/pi-extensions`. The path was derived from public source information rather than from a per-user private directory or an unpredictable temporary directory.

During resource resolution, pi considered an npm package or git checkout present if the expected package path already existed. Extension resources discovered from that package location were then loaded by the extension loader. Because extensions execute with the same privileges as the invoking pi process, pre-created temporary package contents could execute as the victim user.

The issue primarily affects Linux-based multi-user hosts where the operating system temporary directory is shared across user accounts, such as shared development machines, CI runners, HPC login nodes, and similar environments. On Windows and macOS, the default temporary directory is typically user-scoped, so default configurations are not expected to be affected unless the temporary directory is overridden to a shared writable location.

## Impact

A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required.

Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify files accessible to that user and can also cause denial of service or data loss through malicious package contents or unsafe temporary cache entries.

## Affected versions

- `@earendil-works/pi-coding-agent`: affected `>= 0.74.0, < 0.78.1`; patched `>= 0.78.1` - `@mariozechner/pi-coding-agent`: affected `>= 0.50.0, <= 0.73.1`; no patched version was released under the old package name. Migrate to `@earendil-works/pi-coding-agent >= 0.78.1`.

## The solution

Version 0.78.1 moves temporary extension package installs to a private per-user directory under `~/.pi/agent/tmp/extensions` and enforces `0700` permissions on that directory. The same release also hardens git package source path handling so managed clone paths remain inside their intended install roots.

## Recommendations

Upgrade to `@earendil-works/pi-coding-agent` version 0.78.1 or later. Users of the deprecated `@mariozechner/pi-coding-agent` package should migrate to the `@earendil-works/pi-coding-agent` package and upgrade to a fixed version.

On shared Linux hosts, avoid using temporary npm or git extension package sources with vulnerable versions. Review any third-party extensions before loading them, because pi extensions run with full access to the invoking user's account.

## Workarounds

If upgrading immediately is not possible, avoid `--extension` or `-e` with npm or git package sources on shared Linux systems. As an additional mitigation for vulnerable versions, configure the process temporary directory environment to point at a directory owned by the invoking user with `0700` permissions before starting pi.

## Timeline

- 2026-05-29: Report received - 2026-06-02: Fix committed - 2026-06-04: Fixed version 0.78.1 released - 2026-06-08: Advisory prepared for publication

## Credits

Reported by Paul Urian and Cosmin Alexa of CrowdStrike.