Impact
Pi is a minimal terminal coding harness that, prior to version 0.79.0, automatically loads project‑local configuration and resources from a repository’s .pi directory when it starts. The vulnerable versions do not prompt the user for trust, enabling an attacker who controls a repository to place executable TypeScript or JavaScript modules—project‑local extensions—into that directory. When a user starts Pi from that working tree, the malicious code runs in the Pi process with the same privileges as the local user, allowing arbitrary code execution on the machine. The flaw corresponds to CWE‑829, which describes the risk of executing untrusted code without proper validation. The vulnerability is fixed in version 0.79.0.
Affected Systems
The product affected is Pi from Earendil Works. Any installation of Pi before version 0.79.0 is vulnerable. Versions 0.79.0 and later contain the fix and are not affected.
Risk and Exploitability
The CVSS score of 4.4 indicates moderate severity; the likelihood of widespread exploitation is unknown, but the flaw is not listed in the CISA KEV catalog, implying no known active exploits. The attack vector requires the attacker to control a repository or a local working directory and for the user to run Pi in that repository, making it a local privilege escalation or code execution scenario rather than a remote attack.
OpenCVE Enrichment
Github GHSA