Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Description
# Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.
Info
The vulnerable code path affected temporary extension package sources loaded with --extension or -e, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under os.tmpdir()/pi-extensions. The path was derived from public source information rather than from a per-user private directory or an unpredictable temporary directory.
During resource resolution, pi considered an npm package or git checkout present if the expected package path already existed. Extension resources discovered from that package location were then loaded by the extension loader. Because extensions execute with the same privileges as the invoking pi process, pre-created temporary package contents could execute as the victim user.
The issue primarily affects Linux-based multi-user hosts where the operating system temporary directory is shared across user accounts, such as shared development machines, CI runners, HPC login nodes, and similar environments. On Windows and macOS, the default temporary directory is typically user-scoped, so default configurations are not expected to be affected unless the temporary directory is overridden to a shared writable location.
Impact
A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required.
Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify files accessible to that user and can also cause denial of service or data loss through malicious package contents or unsafe temporary cache entries.
Affected versions
@earendil-works/pi-coding-agent: affected>= 0.74.0, < 0.78.1; patched>= 0.78.1@mariozechner/pi-coding-agent: affected>= 0.50.0, <= 0.73.1; no patched version was released under the old package name. Migrate to@earendil-works/pi-coding-agent >= 0.78.1.
The solution
Version 0.78.1 moves temporary extension package installs to a private per-user directory under ~/.pi/agent/tmp/extensions and enforces 0700 permissions on that directory. The same release also hardens git package source path handling so managed clone paths remain inside their intended install roots.
Recommendations
Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later. Users of the deprecated @mariozechner/pi-coding-agent package should migrate to the @earendil-works/pi-coding-agent package and upgrade to a fixed version.
On shared Linux hosts, avoid using temporary npm or git extension package sources with vulnerable versions. Review any third-party extensions before loading them, because pi extensions run with full access to the invoking user's account.
Workarounds
If upgrading immediately is not possible, avoid --extension or -e with npm or git package sources on shared Linux systems. As an additional mitigation for vulnerable versions, configure the process temporary directory environment to point at a directory owned by the invoking user with 0700 permissions before starting pi.
Timeline
- 2026-05-29: Report received
- 2026-06-02: Fix committed
- 2026-06-04: Fixed version 0.78.1 released
- 2026-06-08: Advisory prepared for publication
Credits
Reported by Paul Urian and Cosmin Alexa of CrowdStrike.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >=0.74.0, <0.78.1
- Range: >=0.50.0, <=0.73.1
Patches
Vulnerability mechanics
Root cause
"Predictable temporary extension install paths under the shared OS temporary directory allow a local attacker to pre-place malicious extension code that pi will load."
Attack vector
A local attacker who can write to the shared OS temporary directory (e.g., `/tmp` on Linux) computes the deterministic path that pi will use for a temporary npm or git extension package source. The attacker places malicious extension code at that path before the victim runs pi with `--extension` or `-e` pointing to the same npm/git source. During resource resolution, pi checks whether the expected package path already exists; if it does, pi loads the pre-placed content as an extension, executing attacker-controlled code with the victim user's privileges [ref_id=2]. No race condition is required, but the victim must invoke pi with a matching temporary extension source.
Affected code
The vulnerable code path is in `packages/coding-agent/src/core/package-manager.ts`. The `getTemporaryDir` method constructed paths under `os.tmpdir()/pi-extensions` using only public source information (host, path) and a short hash, making the location predictable. The `getGitInstallPath` and `getNpmInstallPath` methods used this predictable root for temporary npm and git extension installs. No path-traversal validation existed before the fix.
What the fix does
Patch [patch_id=6351628] moves temporary extension installs from `os.tmpdir()/pi-extensions` to `~/.pi/agent/tmp/extensions` and enforces `0700` permissions on that directory via `mkdirSync` with mode `0o700` and a subsequent `chmodSync` [patch_id=6351628]. This ensures the directory is only readable/writable by the owning user, preventing other local users from pre-creating paths inside it. Patch [patch_id=6351627] adds `resolveManagedPath` which validates that resolved paths stay within the intended install root, and introduces `hasUnsafeGitInstallPart` and `buildGitSource` to reject git source inputs containing null bytes, backslashes, absolute paths, or `..` traversal components [patch_id=6351627].
Preconditions
- inputVictim runs a vulnerable pi version (>=0.74.0, <0.78.1 for @earendil-works/pi-coding-agent; >=0.50.0, <=0.73.1 for @mariozechner/pi-coding-agent) with a temporary npm or git extension package source via --extension or -e.
- configAttacker has write access to the shared OS temporary directory (e.g., /tmp on Linux multi-user systems).
- configThe OS temporary directory is shared across user accounts (default on Linux; not on Windows/macOS unless overridden).
Reproduction
No public exploit or PoC is included in the bundle. The advisory describes the attack conceptually but does not provide reproduction steps.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jfgx-wxx8-mp94ghsaADVISORY
- github.com/earendil-works/pi/commit/a98e087e5d08ea2a536bf73dbb0aebb87c3ef72eghsa
- github.com/earendil-works/pi/commit/ea3465a8e371a12d0167a06b60f93878e3a3df44ghsa
- github.com/earendil-works/pi/pull/5345ghsa
- github.com/earendil-works/pi/releases/tag/v0.78.1ghsa
- github.com/earendil-works/pi/security/advisories/GHSA-jfgx-wxx8-mp94ghsa
News mentions
0No linked articles in our index yet.