VulnerableCode Package Details - pkg:npm/%40github/copilot@0.0.354-15

Search for packages

Vulnerability	Summary	Fixed by
VCID-j32z-uq2t-yubx Aliases: CVE-2026-45033 GHSA-9ccr-r5hg-74gf		1.0.43 Affected by 0 other vulnerabilities.
VCID-nhuu-v424-ebcz Aliases: CVE-2026-29783 GHSA-g8r9-g2v8-jv6f	The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.	0.0.423 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-j32z-uq2t-yubx
Aliases:
CVE-2026-45033
GHSA-9ccr-r5hg-74gf

1.0.43
Affected by 0 other vulnerabilities.

VCID-nhuu-v424-ebcz
Aliases:
CVE-2026-29783
GHSA-g8r9-g2v8-jv6f

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise.

0.0.423
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:26:56.697743+00:00	GitLab Importer	Affected by	VCID-j32z-uq2t-yubx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@github/copilot/CVE-2026-45033.yml	38.6.0
2026-06-12T21:18:30.475062+00:00	GitLab Importer	Affected by	VCID-nhuu-v424-ebcz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@github/copilot/CVE-2026-29783.yml	38.6.0

2026-06-12T22:26:56.697743+00:00

GitLab Importer

Affected by

VCID-j32z-uq2t-yubx

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@github/copilot/CVE-2026-45033.yml

38.6.0

2026-06-12T21:18:30.475062+00:00

GitLab Importer

Affected by

VCID-nhuu-v424-ebcz

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@github/copilot/CVE-2026-29783.yml

38.6.0

Next non-vulnerable version	1.0.43
Latest non-vulnerable version	1.0.43
Risk	4.0