GHSA-5G3J-89FR-R2VP

Vulnerability from github – Published: 2026-04-08 00:07 – Updated: 2026-04-08 00:07
VLAI
Summary
skilleton has improper input handling in repository/path processing
Details

Summary

skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.

Affected Versions

<0.3.1

Patched Versions

>=0.3.1

Impact

In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by: - replacing vulnerable parsing behavior with deterministic logic, - validating subpaths earlier before allocating git worktree resources, - adding stricter and broader regression tests around these flows.

Severity

Low to Moderate (project-maintainer assessed)

Mitigation

Upgrade to 0.3.1 or later.

Workarounds

No complete workaround is recommended other than upgrading.

References

Credits

Detected through automated code scanning and remediated by project maintainers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "skilleton"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400",
      "CWE-78",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:07:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic.  \nVersion `0.3.1` contains fixes and additional test coverage for these issues.\n\n## Affected Versions\n\n`\u003c0.3.1`\n\n## Patched Versions\n\n`\u003e=0.3.1`\n\n## Impact\n\nIn affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.  \n`0.3.1` mitigates this by:\n- replacing vulnerable parsing behavior with deterministic logic,\n- validating subpaths earlier before allocating git worktree resources,\n- adding stricter and broader regression tests around these flows.\n\n## Severity\n\nLow to Moderate (project-maintainer assessed)\n\n## Mitigation\n\nUpgrade to `0.3.1` or later.\n\n## Workarounds\n\nNo complete workaround is recommended other than upgrading.\n\n## References\n\n- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)\n- Commits:\n  - [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)\n  - [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)\n- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)\n\n## Credits\n\nDetected through automated code scanning and remediated by project maintainers.",
  "id": "GHSA-5g3j-89fr-r2vp",
  "modified": "2026-04-08T00:07:36Z",
  "published": "2026-04-08T00:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/security/advisories/GHSA-5g3j-89fr-r2vp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Fcmam5/skilleton"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "skilleton has improper input handling in repository/path processing"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…