CVE-2026-44444
Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lumiverse 0.9.5 and earlier run untrusted npm lifecycle scripts before security scanning, enabling RCE during extension install.
Vulnerability
In Lumiverse prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension can include a package.json with preinstall, postinstall, or prepare lifecycle scripts. These scripts execute during the build step, before any distribution file is inspected. The update path is equally affected: update() calls buildExtension() after every git pull, so a previously benign extension that adds a lifecycle script in a later commit becomes an RCE vector on the next auto-update. The vulnerability impacts all Lumiverse versions up to and including 0.9.5 [1].
Exploitation
An attacker needs to host a malicious extension repository (e.g., on GitHub) and have a Lumiverse admin user install or update the extension via the Spindle UI. No authentication other than the admin's access is required, and no additional privileges or user interaction beyond the install button click are needed. The exploit steps are: create an extension repository with a package.json that defines a postinstall script (e.g., "node -e \"require('fs').writeFileSync('/tmp/spindle_poc.txt', 'RCE via lifecycle hook\\n')"); then, as admin, install the extension via the Spindle UI pointing to that repository URL. When the admin clicks Install, bun install runs during the build, triggering the postinstall script and executing arbitrary commands on the server before the static scan runs [1].
Impact
Successful exploitation grants the attacker full OS-level code execution as the server process user at install time. The static safety scan (assertSafeBackendBundle) is completely bypassed because the malicious script runs before any file is inspected. This leads to complete host compromise, including data exfiltration, lateral movement, and persistent backdoor installation. The attacker gains the same privileges as the Lumiverse server process [1].
Mitigation
The vulnerability is fixed in Lumiverse version 0.9.7. Users should upgrade to 0.9.7 or later immediately. The fix likely involves adding the --ignore-scripts flag to the bun install call to prevent lifecycle scripts from running, or running the static scan before the install step. No workaround other than upgrading is documented, and there is no known KEV listing for this CVE at the time of publication [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Spindle extension build pipeline calls `bun install` without the `--ignore-scripts` flag, allowing untrusted lifecycle scripts to execute before the static safety scan."
Attack vector
An attacker with Admin or Owner role creates an extension repository containing a `package.json` that defines a `preinstall`, `postinstall`, or `prepare` lifecycle script (e.g., `"postinstall": "node -e ..."`) [ref_id=1]. When the admin installs the extension via the Spindle UI, the build pipeline runs `bun install` without `--ignore-scripts`, causing the lifecycle script to execute on the server before the static backend safety scan (`assertSafeBackendBundle`) ever inspects any dist file [ref_id=1]. This gives the attacker full OS-level code execution as the server process user at install time, completely bypassing the safety scan [ref_id=1].
Affected code
The vulnerability is in the `bunInstallCmd()` function inside the Spindle extension build pipeline. This function returns `["bun", "install"]` (or variants with `--backend=copyfile` for proot environments) without the `--ignore-scripts` flag [ref_id=1]. The `update()` function also calls `buildExtension()` after a git pull, making the auto-update path equally vulnerable [ref_id=1].
What the fix does
The advisory recommends adding `--ignore-scripts` to every variant in `bunInstallCmd()` [ref_id=1]. This flag tells `bun install` to skip execution of any lifecycle scripts defined in the extension's `package.json`, preventing `preinstall`, `postinstall`, and `prepare` hooks from running. The fix is applied before the static safety scan runs, ensuring that no untrusted code executes during the build step. No patch diff is included in the advisory, but the remediation is clearly specified.
Preconditions
- authAttacker must have Admin or Owner role to install extensions
- inputAttacker must host a malicious extension repository with a package.json containing a lifecycle script
- inputAdmin must press Install (or auto-update must trigger) to execute the build pipeline
Reproduction
Create an extension repository with the following `package.json`:
```json { "name": "malicious-extension", "version": "1.0.0", "scripts": { "postinstall": "node -e \"require('fs').writeFileSync('/tmp/spindle_poc.txt', 'RCE via lifecycle hook\\n')\"" } } ```
As an admin user, install the extension via the Spindle UI pointing to the repository URL. `bun install` runs during build, triggering `postinstall`. `/tmp/spindle_poc.txt` is created on the server before the static scan runs [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.