Impact
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker‑controlled extension code in the victim user's process, allowing the attacker to execute code in that context and potentially elevate privileges within that user’s account. The flaw is due to the predictable temporary file path usage (CWE‑379). The vulnerability was fixed in version 0.78.1.
Affected Systems
The affected product is the Pi terminal coding harness from earendil‑works. Any installation of Pi between versions 0.74.0 and 0.78.1 inclusive is vulnerable, and the fix is available in version 0.78.1 and later.
Risk and Exploitability
The CVSS score is 7.3, and the exploit probability is unknown due to missing EPSS data. The vulnerability is not listed in CISA KEV. The likely attack vector is local: an attacker must be able to write to the system temporary directory on a multi‑user Linux host. Once the attacker writes a malicious package into the predictable path, Pi will load the code as an extension, leading to local privilege escalation without requiring any additional privileges or network interaction.
OpenCVE Enrichment
Github GHSA