Skip to main content

Kilo Code CVE-2025-11445

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-08 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:03 vuln.today

DescriptionCVE.org

A vulnerability was detected in Kilo Code up to 4.86.0. Affected is the function ClineProvider of the file src/core/webview/ClineProvider.ts of the component Prompt Handler. Performing manipulation results in injection. The attack can be initiated remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Code injection in the ClineProvider prompt handler of Kilo Code up to version 4.86.0 allows remote attackers with user interaction to manipulate input prompts and inject arbitrary code. The vulnerability affects the prompt processing component through insufficient input validation in src/core/webview/ClineProvider.ts. Public exploit code is available, and a patch has been released by the vendor, though the low CVSS score (2.1) and minimal EPSS percentile (12%) suggest limited real-world exploitation risk despite public availability.

Technical ContextAI

Kilo Code is an AI agent framework that processes natural language prompts through a web-based interface. The vulnerability exists in ClineProvider.ts, a component responsible for handling user prompts before they are passed to the underlying AI model. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-supplied input in prompts is not properly sanitized before being processed by the prompt handler. This allows injection of code or special commands that could be interpreted by the downstream component. The attack vector is network-based, but requires user interaction (UI:P in CVSS v4.0), meaning a user must manually trigger the action through the web interface.

Affected ProductsAI

Kilo Code versions up to and including 4.86.0 are affected. The vulnerability exists specifically in the ClineProvider component within src/core/webview/ClineProvider.ts. A patched version has been released through GitHub pull request #2244 (commit 2fdddf89edba41ec3a527134e485a3388c464333), indicating that the vendor has addressed the issue in a subsequent release following 4.86.0.

RemediationAI

Upgrade Kilo Code to the patched version released after 4.86.0 via the commit referenced in GitHub PR #2244. The fix is available in the project repository at https://github.com/Kilo-Org/kilocode/pull/2244. If immediate patching is not feasible, restrict network access to the Kilo Code web interface to trusted users only, and implement input validation rules at the reverse proxy or firewall level to block requests containing suspicious prompt injection patterns (e.g., commands, shell metacharacters, or known injection payloads). Additionally, educate users about prompt injection risks and advise them to avoid pasting untrusted prompt content into the interface. Note that these compensating controls do not eliminate the underlying vulnerability but reduce the likelihood of exploitation by limiting who can reach the vulnerable component.

Share

CVE-2025-11445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy