CVE-2026-54325: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in earendil-works pi
Pi is a minimal terminal coding harness that before version 0.79.0 automatically loaded project-local configuration and executable extensions from a repository's .pi directory without user consent. This allowed an attacker controlling a repository to execute arbitrary TypeScript or JavaScript code with the same privileges as the Pi process when a user started Pi in that repository. The vulnerability is fixed in version 0.79.0.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-54325 in earendil-works pi involves the inclusion of functionality from an untrusted control sphere (CWE-829). Versions of Pi prior to 0.79.0 load project-local configuration and executable extensions from a repository's .pi directory without prompting the user to trust the repository. This behavior allows an attacker who controls a repository to place malicious Pi-specific project resources that execute with the same privileges as the Pi process when started in that repository's working tree. This can lead to unauthorized code execution within the user's environment. The issue is resolved in version 0.79.0.
Potential Impact
An attacker controlling a repository can execute arbitrary TypeScript or JavaScript code with the privileges of the Pi process when a user runs Pi in that repository. This can lead to limited confidentiality and integrity impacts as indicated by the CVSS vector (C:L/I:L/A:N). There is no indication of availability impact or known exploits in the wild.
Mitigation Recommendations
Upgrade to Pi version 0.79.0 or later, where this vulnerability is fixed by requiring user trust before loading project-local extensions. Since no official patch link or vendor advisory is provided, users should verify the version before use. Patch status is not yet confirmed by a vendor advisory; check for official updates.
CVE-2026-54325: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in earendil-works pi
Description
Pi is a minimal terminal coding harness that before version 0.79.0 automatically loaded project-local configuration and executable extensions from a repository's .pi directory without user consent. This allowed an attacker controlling a repository to execute arbitrary TypeScript or JavaScript code with the same privileges as the Pi process when a user started Pi in that repository. The vulnerability is fixed in version 0.79.0.
CVSS v3.1
Score 4.4medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-54325 in earendil-works pi involves the inclusion of functionality from an untrusted control sphere (CWE-829). Versions of Pi prior to 0.79.0 load project-local configuration and executable extensions from a repository's .pi directory without prompting the user to trust the repository. This behavior allows an attacker who controls a repository to place malicious Pi-specific project resources that execute with the same privileges as the Pi process when started in that repository's working tree. This can lead to unauthorized code execution within the user's environment. The issue is resolved in version 0.79.0.
Potential Impact
An attacker controlling a repository can execute arbitrary TypeScript or JavaScript code with the privileges of the Pi process when a user runs Pi in that repository. This can lead to limited confidentiality and integrity impacts as indicated by the CVSS vector (C:L/I:L/A:N). There is no indication of availability impact or known exploits in the wild.
Mitigation Recommendations
Upgrade to Pi version 0.79.0 or later, where this vulnerability is fixed by requiring user trust before loading project-local extensions. Since no official patch link or vendor advisory is provided, users should verify the version before use. Patch status is not yet confirmed by a vendor advisory; check for official updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T18:42:02.224Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3aeefceed863c81e96a153
Added to database: 06/23/2026, 20:39:24 UTC
Last enriched: 06/23/2026, 20:54:18 UTC
Last updated: 06/23/2026, 21:08:00 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.