Skip to main content

Pi Coding Agent CVE-2026-54328

HIGH
Creation of Temporary File in Directory with Insecure Permissions (CWE-379)
2026-06-17 https://github.com/earendil-works/pi GHSA-jfgx-wxx8-mp94
Microsoft Apple Crowdstrike Privilege Escalation RCE Node.js Denial Of Service
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.3 HIGH

Local attacker with unprivileged shell on shared host (AV:L, PR:L), trivial path pre-staging (AC:L), but needs victim to invoke pi with matching extension source (UI:R); full code execution as victim yields C/I/A:H.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 17, 2026 - 14:20 vuln.today
Analysis Generated
Jun 17, 2026 - 14:20 vuln.today
CVE Published
Jun 17, 2026 - 13:55 github-advisory
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 32 npm packages depend on @earendil-works/pi-coding-agent (32 direct, 0 indirect)
  • 1 npm packages depend on @mariozechner/pi-coding-agent (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.74.0 and other introduced versions.

DescriptionGitHub Advisory

Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.

Info

The vulnerable code path affected temporary extension package sources loaded with --extension or -e, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under os.tmpdir()/pi-extensions. The path was derived from public source information rather than from a per-user private directory or an unpredictable temporary directory.

During resource resolution, pi considered an npm package or git checkout present if the expected package path already existed. Extension resources discovered from that package location were then loaded by the extension loader. Because extensions execute with the same privileges as the invoking pi process, pre-created temporary package contents could execute as the victim user.

The issue primarily affects Linux-based multi-user hosts where the operating system temporary directory is shared across user accounts, such as shared development machines, CI runners, HPC login nodes, and similar environments. On Windows and macOS, the default temporary directory is typically user-scoped, so default configurations are not expected to be affected unless the temporary directory is overridden to a shared writable location.

Impact

A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required.

Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify files accessible to that user and can also cause denial of service or data loss through malicious package contents or unsafe temporary cache entries.

Affected versions

  • @earendil-works/pi-coding-agent: affected >= 0.74.0, < 0.78.1; patched >= 0.78.1
  • @mariozechner/pi-coding-agent: affected >= 0.50.0, <= 0.73.1; no patched version was released under the old package name. Migrate to @earendil-works/pi-coding-agent >= 0.78.1.

The solution

Version 0.78.1 moves temporary extension package installs to a private per-user directory under ~/.pi/agent/tmp/extensions and enforces 0700 permissions on that directory. The same release also hardens git package source path handling so managed clone paths remain inside their intended install roots.

Recommendations

Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later. Users of the deprecated @mariozechner/pi-coding-agent package should migrate to the @earendil-works/pi-coding-agent package and upgrade to a fixed version.

On shared Linux hosts, avoid using temporary npm or git extension package sources with vulnerable versions. Review any third-party extensions before loading them, because pi extensions run with full access to the invoking user's account.

Workarounds

If upgrading immediately is not possible, avoid --extension or -e with npm or git package sources on shared Linux systems. As an additional mitigation for vulnerable versions, configure the process temporary directory environment to point at a directory owned by the invoking user with 0700 permissions before starting pi.

Timeline

  • 2026-05-29: Report received
  • 2026-06-02: Fix committed
  • 2026-06-04: Fixed version 0.78.1 released
  • 2026-06-08: Advisory prepared for publication

Credits

Reported by Paul Urian and Cosmin Alexa of CrowdStrike.

Articles & Coverage 1

News 3 New Node.js Vulnerabilities - 1 Critical, 2 High Severity Jun 18, 2026

AnalysisAI

Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable os.tmpdir()/pi-extensions path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local account on shared Linux host
Delivery
Predict pi extension temp path under /tmp/pi-extensions
Exploit
Pre-stage malicious package files at expected path
Execution
Victim runs pi -e with matching npm/git source
Persist
pi loads attacker code as victim user
Impact
Access victim's files, keys, and credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) a local unprivileged shell account on the same Linux host with write access to the shared `os.tmpdir()` (typically `/tmp` with sticky-bit mode 1777); (2) a vulnerable pi version installed and reachable by the victim - @earendil-works/pi-coding-agent 0.74.0-0.78.0 or @mariozechner/pi-coding-agent 0.50.0-0.73.1; (3) the victim must subsequently invoke pi with `--extension`/`-e` against an npm or git package source whose identifier the attacker can predict (npm spec, or git host+path) so the deterministic path under `os.tmpdir()/pi-extensions` matches what the attacker pre-staged. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.3 with AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H accurately reflects the dynamics: exploitation is local, low-complexity (just pre-create a directory tree), needs only an unprivileged local account (PR:L), but requires the victim to actually invoke `pi -e` with a temporary package source the attacker can predict (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a shared Linux CI runner, attacker user `mallory` knows that engineer `victim` periodically runs `pi -e npm:internal-helper` from build jobs; mallory computes the deterministic `/tmp/pi-extensions/...` path for that npm spec and pre-creates it with a malicious `package.json` and JavaScript entrypoint. When victim next invokes pi with that extension source, pi sees the path exists, skips the real npm install, and loads mallory's code in-process, giving mallory arbitrary code execution as victim and access to victim's source, SSH keys, and CI secrets.
Remediation Vendor-released patch: @earendil-works/pi-coding-agent 0.78.1 - upgrade via `npm i -g @earendil-works/pi-coding-agent@^0.78.1` (or pin in your package manifest). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all development systems, CI runners, and shared infrastructure for affected package versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54326 LOW
2.5 Jun 16

Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a

CVE-2026-54327 LOW
2.2 Jun 17

Credential disclosure in Pi coding agent affects all versions of @mariozechner/pi-coding-agent (>=0.28.0, <=0.73.1) and

Share

CVE-2026-54328 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy