Cyber Posture

CVE-2026-30302

Critical

Published: 27 March 2026

Published
27 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0044 63.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows…

more

platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by enforcing validation of command inputs with platform-appropriate parsing to block malformed payloads exploiting parser-execution discrepancies.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in the Unix-based parser on Windows by requiring timely remediation such as patching or replacing the incompatible shell-quote library.

SI-9 Information Input Restrictions partial match
prevent

Restricts command inputs to validated whitelists, mitigating bypass attempts by limiting untrusted inputs before parsing in the auto-approval module.

Security SummaryAI

CVE-2026-30302 is an OS Command Injection vulnerability (CWE-78) in the command auto-approval module of CodeRider-Kilo. The flaw occurs due to the incorrect use of a Unix-based shell-quote library to parse commands on the Windows platform, which fails to properly handle Windows CMD-specific escape sequences such as ^. This discrepancy renders the whitelist security mechanism ineffective, allowing malicious commands to bypass validation despite appearing as legitimate whitelisted operations like Git commands.

Remote attackers require no privileges or user interaction to exploit the vulnerability, as indicated by its CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). By constructing payloads such as "git log ^\" & malicious_command ^\"", attackers deceive the parser into treating the malicious connector (&) as part of a protected string argument, leading to auto-approval. The Windows CMD interpreter, however, ignores the escaped quotes and executes the injected command directly, enabling arbitrary remote code execution (RCE).

Mitigation details are available in the advisory referenced at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/3, published on 2026-03-27T16:16:23.210.

Details

CWE(s)
CWE-78

Affected Products

coderider-kilo
coderider
≤ 2.3.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing application (T1190) for OS command injection via Windows CMD (T1059.003), bypassing whitelist for arbitrary RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References