Description
Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts.
Published: 2026-01-29
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the Kimi Agent SDK’s development scripts, vsix-publish.js and ovsx-publish.js, where filenames are passed directly to execSync as shell commands. This allows a malicious filename containing shell metacharacters (e.g., $(cmd)) to cause arbitrary commands to be executed during script run time. The weakness is a classic command injection flaw, classified as CWE-77. The impact is limited to developers executing these publish scripts; normal end‑user installation of the published VSCode extension is not affected.

Affected Systems

MoonshotAI’s Kimi Agent SDK is vulnerable in all releases before 0.1.6, particularly versions that still expose the aforementioned scripts. The fix is provided in version 0.1.6 onwards, where execSync has been replaced with execFileSync and the invocation is safely passed as an array argument.

Risk and Exploitability

The assessed CVSS score is 2.9, reflecting low severity. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Exploitation requires a developer to run the publish scripts with specially crafted filenames, so the attack vector is local and depends on the developer’s environment. In practice, this limits the real‑world risk, but the flaw is still a security concern for code‑base integrity.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kimi Agent SDK to version 0.1.6 or later, which replaces execSync with execFileSync and removes the injection vector.
  • If an upgrade cannot be performed immediately, ensure that all .vsix filenames in the project directory contain no shell metacharacters before invoking the publish scripts.
  • Consider implementing a naming convention or automatic scan that rejects filenames with shell metacharacters to prevent accidental injection during future builds.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Moonshotai
Moonshotai kimi-agent-sdk
Vendors & Products Moonshotai
Moonshotai kimi-agent-sdk

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts.
Title [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Moonshotai Kimi-agent-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:35:37.121Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25046

cve-icon Vulnrichment

Updated: 2026-01-30T14:38:29.541Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T22:15:55.493

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses