Network-AI
Repository
Release

v5.9.1 — Critical: Shell Command Injection Fix (GHSA-qw6v-5fcf-5666)

Published 2026-06-02 | Release notes

SandboxPolicy.isCommandAllowed glob-matched the entire command string, but ShellExecutor then ran that string through /bin/sh -c (or cmd.exe /c). A scoped allowlist entry such as git , npm , or node therefore also match

Read the release here or open the original release on GitHub.
Open release on GitHub Open changelog Open quick start Release RSS

Network-AI v5.9.1 — Critical Security Patch

🔒 Security — GHSA-qw6v-5fcf-5666 (Critical, CWE-78 OS Command Injection)

SandboxPolicy.isCommandAllowed glob-matched the entire command string, but ShellExecutor then ran that string through /bin/sh -c (or cmd.exe /c). A scoped allowlist entry such as git , npm , or node * therefore also matched chained payloads like git status; id, and the injected command executed — defeating the one control the threat model designates against a compromised agent (Adversary 3.2).

Fixed:

  • Commands now execute via spawn(file, args, { shell: false }) using a parsed argv — no shell is ever invoked, so metacharacters cannot be interpreted.
  • A new quote-aware parseCommandLine() tokenizer backs both isCommandAllowed() and the new SandboxPolicy.tokenizeCommand().
  • Any unquoted shell metacharacter (; &amp; | $ ` ` ( ) < > { }` newline) or unterminated quote is rejected before the allowlist glob match.
  • Quoted metacharacters are preserved as literal argument data.

_Reported by lexdotdev._

🛠 Fixed

  • scripts/check_permission.py — permission_denied audit logging: audit_summary reads explicit permission_denied events (v5.9.0), but the permission checker never wrote them. A new _deny() helper now logs a permission_denied audit event (agent_id, resource_type, scope, reason, scores) at every denial point — high-risk confirmation, insufficient justification, low trust, excessive risk, below-threshold weighted score.
  • Socket.dev Network-access false positive — declared lib/telemetry-provider.ts / dist/lib/telemetry-provider.js in socket.json. The module defines the BYOT ITelemetryProvider interface and createOtelHooks() factory and makes no outbound HTTP calls.
  • Tests — added command-injection regression coverage (chaining, pipe, $(), backticks, redirection, newline, quoted-literal handling, tokenizeCommand); converted shell-builtin test commands to node -e since execution is now shell-free.

✅ Verification

  • npx tsc --noEmit — clean
  • Full suite — 3,161 tests across 31 suites passing

Upgrade urgency: HIGH for any deployment that grants agents ShellExecutor access with a scoped allowlist.

Release FAQ

Fast answers for operators and answer engines.

What changed in v5.9.1?

SandboxPolicy.isCommandAllowed glob-matched the entire command string, but ShellExecutor then ran that string through /bin/sh -c (or cmd.exe /c). A scoped allowlist entry such as git , npm , or node therefore also match

When was v5.9.1 published?

v5.9.1 was published on Jun 2, 2026.

How much validation backed v5.9.1?

The release notes report 3,161 tests across 31 suites, all passing.

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security