Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.
AnalysisAI
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attackers to run arbitrary commands on the host by submitting a malicious Spindle extension whose package.json defines lifecycle scripts. The Spindle build pipeline invokes bun install before its static safety scan and without script execution disabled, so code runs at install time on the server rather than at runtime in any sandboxed bundle. No public exploit identified at time of analysis.
Technical ContextAI
Lumiverse uses the Bun JavaScript runtime to install third-party 'Spindle' extension packages as part of its extension build pipeline. By default, package managers like bun, npm, and yarn execute preinstall, install, postinstall, and prepare lifecycle scripts declared in a package.json as the user running the installer. Lumiverse's pipeline performs the dependency install step before its custom validator assertSafeBackendBundle inspects the produced dist files, and it omits the --ignore-scripts flag that would suppress lifecycle execution. This is a textbook CWE-78 (OS Command Injection) primitive via a trusted build toolchain: the static analyzer never gets a chance to run because arbitrary shell payloads execute earlier in the dependency resolution phase. Per the supplied CPE cpe:2.3:a:prolix-oc:lumiverse:*:*:*:*:*:*:*:*, all versions of prolix-oc/Lumiverse up to the fix are in scope.
RemediationAI
Vendor-released patch: upgrade to Lumiverse 0.9.7 or later, where the Spindle pipeline invokes bun install with --ignore-scripts and runs assertSafeBackendBundle before any script execution path is reachable; see https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9. If immediate upgrade is not feasible, administrators should disable the Spindle extension installation feature entirely (preventing legitimate extension installs as a side effect), restrict administrative access to the extension-install endpoint to a trusted operator on an isolated network segment, and only side-load extensions whose package.json has been manually audited for preinstall, postinstall, and prepare entries before invoking install. As an additional containment measure, run the Lumiverse process under a dedicated low-privilege OS account with no write access to system directories so that any residual lifecycle script execution is bounded; this does not eliminate the vulnerability but reduces blast radius.
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary Jav
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthori
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31981