Slyde is a Node.js application designed to generate animated presentations from XML input. In versions 0.0.4 and earlier, it employs a dynamic import mechanism that automatically loads all files matching the pattern **/*.plugin.{js,mjs}, including those located within the node_modules directory. This import behavior does not discriminate between trusted and untrusted packages, which introduces a critical security flaw categorized under CWE-829: Inclusion of Functionality from Untrusted Control Sphere. An attacker can exploit this by publishing a malicious npm package containing a .plugin.js file. When such a package is installed or required by a project using vulnerable Slyde versions, the malicious code executes with the privileges of the Node.js process. This can lead to arbitrary code execution, compromising confidentiality, integrity, and availability of the host system. The vulnerability requires no authentication but does require user interaction in the form of installing or requiring the malicious package. The CVSS 4.0 base score is 7.6 (high), reflecting network attack vector, high impact on confidentiality and integrity, and user interaction required. The vulnerability was publicly disclosed on February 20, 2026, and fixed in Slyde version 0.0.5. No known exploits have been reported in the wild to date. Mitigation involves upgrading to the patched version or carefully auditing and restricting packages installed in node_modules to prevent untrusted code execution.

This vulnerability enables remote attackers to execute arbitrary code on systems running vulnerable versions of Slyde by leveraging malicious npm packages containing .plugin.js files. The impact is severe as it can lead to full system compromise, data theft, or disruption of services. Organizations using Slyde in their development or production environments risk exposure to supply chain attacks, especially if they incorporate third-party or untrusted packages. The automatic import behavior increases the attack surface by implicitly trusting all installed packages. This can undermine the integrity of software builds and deployment pipelines, potentially affecting downstream users and clients. The vulnerability also threatens the confidentiality of sensitive data processed by Slyde and can cause denial of service if exploited to execute destructive payloads. Given the widespread use of Node.js and npm packages globally, the scope of affected systems is significant, particularly in development environments that do not enforce strict package vetting.

1. Upgrade all instances of Slyde to version 0.0.5 or later, where the automatic import behavior has been corrected. 2. Implement strict package management policies: audit all installed npm packages for legitimacy and remove any untrusted or unnecessary dependencies. 3. Use npm package integrity verification tools such as npm audit, npm ci with package-lock.json, or third-party supply chain security tools to detect malicious packages. 4. Restrict the import paths or modify the loading mechanism in custom forks of Slyde to exclude node_modules or untrusted directories from automatic imports. 5. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to monitor and block suspicious code execution originating from node_modules. 6. Educate developers and DevOps teams about the risks of installing untrusted packages and encourage the use of private registries or vetted package repositories. 7. Consider containerizing Slyde environments with minimal privileges and immutable filesystems to limit the impact of potential exploitation.