जमा करें #847648: tiddly-gittly TidGi Desktop 0.13.0 TidGi Desktop 0.13.0 Remote Code Execution via Untrusted TiddlyWजानकारी

शीर्षकtiddly-gittly TidGi Desktop 0.13.0 TidGi Desktop 0.13.0 Remote Code Execution via Untrusted TiddlyW
विवरणTidGi Desktop 0.13.0 allows arbitrary code execution when importing an untrusted TiddlyWiki repository. The application automatically loads all .tid files from an imported workspace and subsequently boots the embedded TiddlyWiki instance. During the startup sequence, tiddlers containing the fields "type: application/javascript" and "module-type: startup" are automatically registered as executable modules and executed without sandboxing. An attacker can craft a malicious repository containing a startup module that executes arbitrary Node.js code during workspace initialization. Successful exploitation requires a victim to import or clone the attacker-controlled repository through the application's workspace import functionality. The vulnerability results in arbitrary command execution with the privileges of the current user. File read, file write, persistence mechanisms, and reverse shell execution are possible through access to Node.js built-in modules such as child_process and fs. The issue has been acknowledged by the project maintainer, who indicated that sandboxing should be added to restrict execution of imported content.
स्रोत⚠️ https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv
उपयोगकर्ता
 Fklov (UID 98102)
सबमिशन04/06/2026 12:34 PM (1 महीना पहले)
संयम04/07/2026 10:01 AM (30 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि376309 [tiddly-gittly TidGi-Desktop तक 0.13.0 Git Repository Import loadWikiTiddlersWithSubWikis.ts अधिकार वृद्धि]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!