Impact
A race condition in Pi’s file write logic allows a brief period during which the auth.json file, which stores API keys and OAuth credentials, may be created or overwritten with permissions derived from the process umask rather than the intended owner‑only setting. This window can expose sensitive credentials to other users on the same system while Pi is running, constituting an information disclosure vulnerability.
Affected Systems
Version 0.74.0 through 0.78.0 of Pi, a minimal terminal coding harness from earendil‑works, are affected. All binaries released under those version numbers that write to auth.json are vulnerable.
Risk and Exploitability
The CVSS score of 2.2 indicates low severity, and no EPSS data or KEV listing suggests exploitation is unlikely. The likely attack vector is a local actor who can trigger a write to auth.json, such as a user running Pi or a malicious code injection that invokes Pi’s write path. The flaw requires local access; remote exploitation is not described in the CVE data.
OpenCVE Enrichment
Github GHSA