VDB
KO
HIGH 8.8

GHSA-xrmc-c5cg-rv7x

SafeInstall agent guard shell parsing can miss raw package execution

Details

## Summary

SafeInstall CLI through 0.10.1 can fail to recognize some package-manager and registry-runner commands in its agent guard. Case-variant launcher names, leading file-descriptor redirections, and supported shell wrappers with options can cause a raw install command to receive no guard decision. Remote project scaffolding through package-manager create/init commands can also avoid the approval decision used for other registry runners.

## Impact

When the SafeInstall guard is installed for a coding agent, a crafted shell command can bypass the intended deny or ask response. The coding agent may then run a package installation or registry-provided scaffolding command without SafeInstall policy evaluation and without SafeInstall enforcing disabled lifecycle scripts.

Exploitation requires a coding agent to act on attacker-influenced instructions and issue the crafted shell command. A successful malicious package or runner can execute with the permissions of the developer account, affecting the confidentiality, integrity, and availability of local source code, credentials, and development resources.

The vulnerability is limited to guard interception. Commands already routed through the SafeInstall CLI continue to receive normal policy evaluation.

## Affected versions

- safeinstall-cli <= 0.10.1

## Patched version

- safeinstall-cli 0.10.2

## Fix

Version 0.10.2:

- normalizes package-manager and wrapper launcher names for detection and rewriting; - parses leading redirections before classifying the command; - handles supported wrapper option arity conservatively and fails closed on ambiguous embedded command syntax; - routes remote create/init scaffolding through the registry-runner approval path; - preserves SafeInstall routing for path-qualified package-manager invocations.

The patch includes a permanent regression corpus, table-driven parser characterization, an independent reference detector, and deterministic fuzz invariants. The integrated release candidate passed 626 tests, package smoke validation, and a one-million-command fuzz campaign with zero invariant violations.

## Mitigation

Upgrade to safeinstall-cli 0.10.2 or later.

Until an upgrade is possible, manually review every coding-agent shell command and prevent the agent from invoking package managers or registry runners directly. Running an affected guard does not make raw package-manager execution safe.

## Credits

Discovered, reproduced, and remediated by the SafeInstall maintainer during adversarial parser testing.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / safeinstall-cli
Introduced in: 0 Fixed in: 0.10.2
Fix npm install safeinstall-cli@0.10.2

References