GHSA-jfgx-wxx8-mp94

Suggest an improvement
Source
https://github.com/advisories/GHSA-jfgx-wxx8-mp94
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jfgx-wxx8-mp94/GHSA-jfgx-wxx8-mp94.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jfgx-wxx8-mp94
Aliases
  • CVE-2026-54328
Downstream
Published
2026-06-17T13:55:13Z
Modified
2026-06-17T14:00:08.570970803Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Details

Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.

Info

The vulnerable code path affected temporary extension package sources loaded with --extension or -e, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under os.tmpdir()/pi-extensions. The path was derived from public source information rather than from a per-user private directory or an unpredictable temporary directory.

During resource resolution, pi considered an npm package or git checkout present if the expected package path already existed. Extension resources discovered from that package location were then loaded by the extension loader. Because extensions execute with the same privileges as the invoking pi process, pre-created temporary package contents could execute as the victim user.

The issue primarily affects Linux-based multi-user hosts where the operating system temporary directory is shared across user accounts, such as shared development machines, CI runners, HPC login nodes, and similar environments. On Windows and macOS, the default temporary directory is typically user-scoped, so default configurations are not expected to be affected unless the temporary directory is overridden to a shared writable location.

Impact

A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required.

Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify files accessible to that user and can also cause denial of service or data loss through malicious package contents or unsafe temporary cache entries.

Affected versions

  • @earendil-works/pi-coding-agent: affected >= 0.74.0, < 0.78.1; patched >= 0.78.1
  • @mariozechner/pi-coding-agent: affected >= 0.50.0, <= 0.73.1; no patched version was released under the old package name. Migrate to @earendil-works/pi-coding-agent >= 0.78.1.

The solution

Version 0.78.1 moves temporary extension package installs to a private per-user directory under ~/.pi/agent/tmp/extensions and enforces 0700 permissions on that directory. The same release also hardens git package source path handling so managed clone paths remain inside their intended install roots.

Recommendations

Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later. Users of the deprecated @mariozechner/pi-coding-agent package should migrate to the @earendil-works/pi-coding-agent package and upgrade to a fixed version.

On shared Linux hosts, avoid using temporary npm or git extension package sources with vulnerable versions. Review any third-party extensions before loading them, because pi extensions run with full access to the invoking user's account.

Workarounds

If upgrading immediately is not possible, avoid --extension or -e with npm or git package sources on shared Linux systems. As an additional mitigation for vulnerable versions, configure the process temporary directory environment to point at a directory owned by the invoking user with 0700 permissions before starting pi.

Timeline

  • 2026-05-29: Report received
  • 2026-06-02: Fix committed
  • 2026-06-04: Fixed version 0.78.1 released
  • 2026-06-08: Advisory prepared for publication

Credits

Reported by Paul Urian and Cosmin Alexa of CrowdStrike.

Database specific
{
    "github_reviewed_at": "2026-06-17T13:55:13Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-379"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / @earendil-works/pi-coding-agent

Package

Name
@earendil-works/pi-coding-agent
View open source insights on deps.dev
Purl
pkg:npm/%40earendil-works%2Fpi-coding-agent

Affected ranges

Type
SEMVER
Events
Introduced
0.74.0
Fixed
0.78.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jfgx-wxx8-mp94/GHSA-jfgx-wxx8-mp94.json"

npm / @mariozechner/pi-coding-agent

Package

Name
@mariozechner/pi-coding-agent
View open source insights on deps.dev
Purl
pkg:npm/%40mariozechner%2Fpi-coding-agent

Affected ranges

Type
SEMVER
Events
Introduced
0.50.0
Last affected
0.73.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jfgx-wxx8-mp94/GHSA-jfgx-wxx8-mp94.json"