| Version | Supported |
|---|---|
| 2.7.x | ✅ Active |
| 2.6.x | ✅ Active |
| 2.5.x | ✅ Active |
| 2.4.x | |
| < 2.4 | ❌ End of life |
-
Email: Send details to the maintainers via GitHub's private vulnerability reporting:
- Go to Security tab
- Click "Report a vulnerability"
-
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
| Stage | Target Time |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix development | 14 business days (critical), 30 days (high) |
| Advisory published | After fix is released |
Given this project involves AI agent execution with shell access, we take these especially seriously:
- Command injection in
shell.execor any tool handler - Path traversal bypass in
guardrails.pathTraversal - Arbitrary file read/write via tool arguments
- Rate limit bypass enabling DoS
- Permission escalation in plugin system
- Supply chain risks in dependencies
- LLM prompt injection (inherent to AI systems, not a code vulnerability)
- Missing features (e.g., "should add sandboxing for X")
- Configuration errors by the user
This project implements defense-in-depth for shell execution:
- Whitelist-only — Only approved commands can run (
ALLOWED_COMMANDS) - No shell —
execFileSyncwith parsed args (noshell: true) - Arg parsing —
parseCommandArgswith escape sequence support - Pattern detection — Blocks command substitution (
$(),`) and destructive commands - Path validation —
pathTraversal()withpath.normalize(), explicitprojectRoot, andfs.realpathSync()for symlink resolution - File limits —
maxFileSize,maxFiles,maxDepthprevent OOM - Rate limiting — Prevents abuse of tool calls
- Result truncation — 100KB limit prevents memory exhaustion
For the full security fix history, see CHANGELOG.md.
Key security fixes by version:
| Version | Key fix |
|---|---|
| 2.7.x | CLI engine spawn safety, artifact write path validation, quality gate enforcement |
| 2.6.x | SSRF protection, WS hardening, security headers, sensitive route auth |
| 2.5.x | Per-provider circuit breaker, rate limit hard cap, X-Forwarded-For spoofing fix |
| 2.4.x | BLOCKED_FLAGS bypass, sandboxExec hardening, secret scanning, ReDoS protection |
| 2.2.x | Symlink traversal fix, safeWrite temp file leak, queue destroy guard |
| 2.1.x | Command injection fix, path traversal fix, dangerous pattern detection |
| 2.0.x | Initial security layer (guardrails, sandboxExec, safeWrite, rateLimit) |