VYPR
← All advisories
High severity7.3NVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-48546

CVE-2026-48546

Description

KanaDojo before 0.1.18 allows sandbox escape via passing require into vm.runInNewContext(), enabling RCE in GitHub Actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KanaDojo before 0.1.18 allows sandbox escape via passing require into vm.runInNewContext(), enabling RCE in GitHub Actions.

Vulnerability

KanaDojo before version 0.1.18 contains a sandbox escape vulnerability in the issue-auto-respond.yml GitHub Actions workflow. The workflow explicitly passes the global require function into a Node.js vm.runInNewContext() sandbox context. This allows code executed within the sandbox to access Node.js modules, bypassing the intended isolation. The vulnerable code path is triggered when a pull request modifies the messages.cjs file, which is then executed inside the sandbox. Affected versions: all prior to 0.1.18. [1][2]

Exploitation

An attacker can submit a pull request that modifies messages.cjs to include calls to require() to import arbitrary Node.js modules. The workflow automatically processes the pull request and runs the modified script inside the sandbox, which has access to the global require. No authentication beyond a GitHub account is needed; the attacker only needs to fork the repository and open a pull request. The sandbox escape is achieved by using require to load modules such as child_process to execute system commands. [2]

Impact

Successful exploitation allows arbitrary code execution on the GitHub Actions runner with full privileges, including access to the AUTOMATION_PR_TOKEN secret. This token can be used to modify repository contents, create releases, or access other secrets. The attacker gains the ability to compromise the repository and potentially the CI/CD pipeline. [2]

Mitigation

The vulnerability is fixed in version 0.1.18, released on 2026-06-11. The fix removes the require function from the sandbox context and replaces execSync with execFileSync to prevent command injection. Users should update to version 0.1.18 or later. No workarounds are available for earlier versions. [1][3]

References
  1. fix(security): remove require from VM sandbox and replace execSync wi… · lingdojo/kana-dojo@31b85a5
  2. KanaDojo < 0.1.18 Sandbox Escape RCE via messages.cjs
  3. Release KanaDojo v0.1.18 · lingdojo/kana-dojo

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
31b85a5d7c4b

fix(security): remove require from VM sandbox and replace execSync with execFileSync

https://github.com/lingdojo/kana-dojoてんとう虫May 29, 2026via nvd-ref
commit
2 files changed · +6 9
  • .github/scripts/create-release.cjs+5 8 modified
    @@ -1,6 +1,6 @@
 const fs = require('fs');
 const https = require('https');
-const { execSync } = require('child_process');
+const { execFileSync } = require('child_process');
 
 async function createRelease() {
   try {
@@ -20,7 +20,7 @@ async function createRelease() {
 
     // Check if tag already exists
     try {
-      execSync(`git rev-parse ${tagName}`, { stdio: 'pipe' });
+      execFileSync('git', ['rev-parse', tagName], { stdio: 'pipe' });
       console.log(`Tag ${tagName} already exists, skipping release creation`);
       process.exit(0);
     } catch (e) {
@@ -109,19 +109,16 @@ ${changelogSection}
 
     // Create annotated tag
     const tagMessage = `Release v${version}: ${latest.changes[0] || 'New release'}`;
-    execSync(`git tag -a ${tagName} -m "${tagMessage}"`, { stdio: 'inherit' });
+    execFileSync('git', ['tag', '-a', tagName, '-m', tagMessage], { stdio: 'inherit' });
 
     // Push tag
-    execSync(`git push origin ${tagName}`, { stdio: 'inherit' });
+    execFileSync('git', ['push', 'origin', tagName], { stdio: 'inherit' });
 
     // Create GitHub Release using gh CLI
     const notesFile = '/tmp/release-notes.md';
     fs.writeFileSync(notesFile, releaseNotes);
 
-    execSync(
-      `gh release create ${tagName} --title "KanaDojo v${version}" --notes-file ${notesFile}`,
-      { stdio: 'inherit' }
-    );
+    execFileSync('gh', ['release', 'create', tagName, '--title', `KanaDojo v${version}`, '--notes-file', notesFile], { stdio: 'inherit' });
 
     console.log(`GitHub Release v${version} created successfully!`);
     console.log(`  Version: ${version}`);
  • .github/workflows/issue-auto-respond.yml+1 1 modified
    @@ -40,7 +40,7 @@ jobs:
             const content = Buffer.from(file.content, 'base64').toString('utf8');
             const module = { exports: {} };
             const vm = require('vm');
-            vm.runInNewContext(content, { module, exports: module.exports, require });
+            vm.runInNewContext(content, { module, exports: module.exports });
             const templates = module.exports;
             const t = templates.issueAutoRespond;

Vulnerability mechanics

Root cause

"Explicitly passing the global `require` function into a Node.js vm.runInNewContext() sandbox allows sandboxed code to import arbitrary modules and escape the sandbox."

Attack vector

An attacker submits a pull request that modifies `messages.cjs` to include a call to `require('child_process')` or any other Node.js module. The `issue-auto-respond.yml` workflow loads this file inside a `vm.runInNewContext()` sandbox that explicitly passes the global `require` function, so the attacker's code can import arbitrary modules and execute shell commands. This achieves remote code execution with the full privileges of the GitHub Actions runner, including access to the `AUTOMATION_PR_TOKEN` secret [ref_id=1].

Affected code

.github/workflows/issue-auto-respond.yml passes the global `require` into `vm.runInNewContext()`, and `.github/scripts/create-release.cjs` uses `execSync` with unsanitized shell arguments. Both files are patched in commit 31b85a5d7c4b323ddeba3b2dc5e7807558710544 [patch_id=5619876].

What the fix does

The patch removes the `require` parameter from the `vm.runInNewContext()` call in `issue-auto-respond.yml`, so sandboxed code can no longer access Node.js's module loading. It also replaces all `execSync` calls in `create-release.cjs` with `execFileSync`, which passes arguments as an array and prevents shell injection. Together these changes close both the sandbox escape and command-injection vectors [patch_id=5619876].

Preconditions

  • authThe attacker must be able to open a pull request that modifies messages.cjs in the repository.
  • configThe issue-auto-respond.yml workflow must be configured to run on pull_request events.
  • networkThe workflow runner must have network access to clone the PR branch and execute the sandboxed script.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.