CVE-2026-25046 is a command injection vulnerability classified under CWE-77 found in the MoonshotAI kimi-agent-sdk development scripts, specifically vsix-publish.js and ovsx-publish.js. These scripts use Node.js's execSync() function to execute shell commands constructed by concatenating filenames directly into command strings. If a filename contains shell metacharacters such as $(cmd), it can lead to arbitrary command execution on the host system. This vulnerability exists only in the repository's development scripts and does not affect the published VSCode extension, which excludes these files. The root cause is improper neutralization of special shell elements in filenames passed to execSync(), allowing injection of malicious commands. The vulnerability is fixed in version 0.1.6 by replacing execSync() with execFileSync(), which accepts an array of arguments and prevents shell interpretation of filenames. Exploitation requires local access with high privileges to run the vulnerable scripts and user interaction to provide malicious filenames. There are no known exploits in the wild. The CVSS v3.1 base score is 2.9, reflecting low confidentiality and integrity impact, high attack complexity, requirement for privileges and user interaction, and no impact on availability.

For European organizations, the impact of this vulnerability is limited primarily to development environments where the vulnerable kimi-agent-sdk scripts are used. Since the vulnerability requires local execution of development scripts with malicious filenames, it does not pose a direct threat to production systems or end users. However, if an attacker gains local access to a developer's machine or build environment, they could execute arbitrary commands with the privileges of the user running the scripts, potentially leading to code execution or environment compromise. This could result in unauthorized access to source code, build artifacts, or credentials stored in the development environment. The low CVSS score and absence of known exploits indicate a low likelihood of widespread impact. Nonetheless, organizations with strict development security policies or those using these scripts in automated CI/CD pipelines should be cautious to prevent supply chain or insider threats.

European organizations should upgrade the kimi-agent-sdk to version 0.1.6 or later, where the vulnerability is fixed by using execFileSync() with argument arrays to safely handle filenames. Until upgrading, developers must ensure that all .vsix files or other inputs used by the vsix-publish.js and ovsx-publish.js scripts have sanitized filenames free of shell metacharacters such as $(), ``, ;, &, |, or other command injection vectors. Implement strict filename validation or whitelisting in build and publish scripts. Restrict access to development environments and scripts to trusted personnel only. Employ code review and static analysis tools to detect unsafe use of execSync() or similar functions in scripts. Additionally, consider running development scripts in isolated containers or sandboxes to limit the impact of potential command injection. Regularly audit development tools and scripts for security best practices to prevent similar issues.