Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
AnalysisAI
SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.
Technical ContextAI
SakaDev is a Visual Studio Code extension that integrates language model-based command execution automation. The extension implements a two-tier execution model: (1) automatic execution of commands the model deems 'safe', and (2) user-approval-gated execution for potentially destructive commands. The vulnerability stems from the reliance on prompt-injection-susceptible language model classification without secondary validation layers. This represents a class of AI/ML system vulnerabilities where adversarial prompts can subvert intended behavioral guardrails. The root cause lies in inadequate input sanitization and over-reliance on model judgment for security-critical decisions, rather than explicit command whitelisting or static analysis. No formal CWE mapping was provided, but the mechanism aligns with CWE-94 (Improper Control of Generation of Code), CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), and CWE-20 (Improper Input Validation).
RemediationAI
Immediate remediation requires SakaDev maintainers to implement input sanitization and command classification hardening: replace model-based safety judgment with explicit command whitelisting (curated list of genuinely non-destructive commands such as echo, cd, pwd), implement static syntax analysis to reject commands containing shell operators (pipes, redirects, semicolons, backticks, variable expansion), and require user approval for any command execution regardless of model classification until a formal security review is completed. Users should immediately disable the 'Execute safe commands' option and instead use the manual approval flow for all terminal commands, or uninstall the extension if command automation is not critical. The proof-of-concept and vulnerability details are documented at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4 and should be reviewed by the maintainers to understand the specific injection patterns being exploited. Vendor-released patch status is not confirmed in the provided data; users should monitor the Visual Studio Code Marketplace for extension updates and the GitHub repository for security advisories.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17203
GHSA-3m9f-mrx3-g4mq