Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution Ridvay Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.
AnalysisAI
Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist protections via shell command substitution syntax ($(…) and backticks) embedded in seemingly benign git commands, achieving code execution without user interaction. The vulnerability exploits inadequate regular expression validation that fails to detect shell metacharacters in command arguments, enabling attackers to inject arbitrary commands that execute with the privileges of the Ridvay Code process.
Technical ContextAI
Ridvay Code implements a command auto-approval system intended to safely permit certain operations by validating commands against a whitelist using regular expressions. The vulnerability stems from insufficient parsing logic that does not account for shell command substitution mechanisms-specifically the $(command) syntax and backtick command substitution-which are evaluated by the underlying shell interpreter after the whitelist check passes. The root cause is inadequate input validation at the command parsing layer (CWE-77/CWE-78 territory: Improper Neutralization of Special Elements used in a Command). An attacker can embed malicious shell syntax within ostensibly safe arguments (e.g., git log parameters), causing the shell to execute the injected code before or alongside the whitelisted command. This represents a failure to perform proper sanitization or escaping of shell metacharacters prior to command execution.
RemediationAI
Immediate remediation requires disabling or removing the command auto-approval feature entirely until a patched version is available, or restricting its use to isolated, non-production environments. The underlying fix must involve secure command parsing: reject any command string or argument containing shell metacharacters ($(, , , |, ;, &, >, <, etc.) before whitelist evaluation, or use a secure command execution API (e.g., language-native system calls that accept argument arrays rather than shell strings, preventing interpretation of shell syntax). Patch availability has not been confirmed from vendor advisory; users should monitor https://ridvay.com/ and https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/8 for security updates. As an interim control, if the auto-approval mechanism can be disabled via configuration, do so immediately and require explicit manual approval for all commands.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17423