Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fhwm-pc6r-4h2f: CommandKit has incorrect command name exposure in context object for message command aliases

Impact

A logic flaw exists in the message command handler of CommandKit that affects how the commandName property is exposed to both middleware functions and command execution contexts when handling command aliases. When a message command is invoked using an alias, the ctx.commandName value reflects the alias rather than the canonical command name. This occurs in both middleware functions and within the command’s own run function.

Developers who rely on ctx.commandName for logic that assumes it represents the canonical command identifier may introduce unintended behavior. In security-sensitive cases, such as middleware used for permission checks, rate limiting, or audit logging, this behavior could allow unauthorized command execution or inaccurate access control decisions. Slash commands and context menu commands are not affected.

Patches

Fixed in v1.2.0-rc.12. ctx.commandName now consistently returns the actual command name, regardless of the alias used to invoke it.

Workaround

If upgrading isn’t immediately possible:

  • Use ctx.command.data.command.name for permission validations, or
  • Include all command aliases in your permission logic.

References

ghsa
Open in Source
#git#auth

Impact

A logic flaw exists in the message command handler of CommandKit that affects how the commandName property is exposed to both middleware functions and command execution contexts when handling command aliases. When a message command is invoked using an alias, the ctx.commandName value reflects the alias rather than the canonical command name. This occurs in both middleware functions and within the command’s own run function.

Developers who rely on ctx.commandName for logic that assumes it represents the canonical command identifier may introduce unintended behavior. In security-sensitive cases, such as middleware used for permission checks, rate limiting, or audit logging, this behavior could allow unauthorized command execution or inaccurate access control decisions. Slash commands and context menu commands are not affected.

Patches

Fixed in v1.2.0-rc.12.
ctx.commandName now consistently returns the actual command name, regardless of the alias used to invoke it.

Workaround

If upgrading isn’t immediately possible:

  • Use ctx.command.data.command.name for permission validations, or
  • Include all command aliases in your permission logic.

References

  • CommandKit repository

References

  • GHSA-fhwm-pc6r-4h2f
  • underctrl-io/commandkit@440385a

ghsa: Latest News

GHSA-4p3p-cr38-v5xp: Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
ghsa