Kilo Code CVE-2025-11445
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Kilo Code up to 4.86.0. Affected is the function ClineProvider of the file src/core/webview/ClineProvider.ts of the component Prompt Handler. Performing manipulation results in injection. The attack can be initiated remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Code injection in the ClineProvider prompt handler of Kilo Code up to version 4.86.0 allows remote attackers with user interaction to manipulate input prompts and inject arbitrary code. The vulnerability affects the prompt processing component through insufficient input validation in src/core/webview/ClineProvider.ts. Public exploit code is available, and a patch has been released by the vendor, though the low CVSS score (2.1) and minimal EPSS percentile (12%) suggest limited real-world exploitation risk despite public availability.
Technical ContextAI
Kilo Code is an AI agent framework that processes natural language prompts through a web-based interface. The vulnerability exists in ClineProvider.ts, a component responsible for handling user prompts before they are passed to the underlying AI model. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-supplied input in prompts is not properly sanitized before being processed by the prompt handler. This allows injection of code or special commands that could be interpreted by the downstream component. The attack vector is network-based, but requires user interaction (UI:P in CVSS v4.0), meaning a user must manually trigger the action through the web interface.
Affected ProductsAI
Kilo Code versions up to and including 4.86.0 are affected. The vulnerability exists specifically in the ClineProvider component within src/core/webview/ClineProvider.ts. A patched version has been released through GitHub pull request #2244 (commit 2fdddf89edba41ec3a527134e485a3388c464333), indicating that the vendor has addressed the issue in a subsequent release following 4.86.0.
RemediationAI
Upgrade Kilo Code to the patched version released after 4.86.0 via the commit referenced in GitHub PR #2244. The fix is available in the project repository at https://github.com/Kilo-Org/kilocode/pull/2244. If immediate patching is not feasible, restrict network access to the Kilo Code web interface to trusted users only, and implement input validation rules at the reverse proxy or firewall level to block requests containing suspicious prompt injection patterns (e.g., commands, shell metacharacters, or known injection payloads). Additionally, educate users about prompt injection risks and advise them to avoid pasting untrusted prompt content into the interface. Note that these compensating controls do not eliminate the underlying vulnerability but reduce the likelihood of exploitation by limiting who can reach the vulnerable component.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today