Homepage

kagura-ai@4.0.8

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the kagura-ai package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free
VulnerabilityVulnerable Version
  • C
Arbitrary Code Injection

kagura-ai is an Universal AI Memory Platform - MCP-native context management for all AI agents

Affected versions of this package are vulnerable to Arbitrary Code Injection due to missing access restrictions in multiple tool endpoints, including coding_index_source_code, coding_analyze_file_dependencies, coding_analyze_refactor_impact, meta_fix_code_error, gh_safe_exec, gh_pr_create_safe, and gh_pr_merge_safe. These endpoints fail to enforce authentication or authorization, allowing remote attackers to read arbitrary files from the server filesystem, trigger code-generation behaviors that can result in arbitrary code execution, and perform unauthorized actions on GitHub repositories.

How to fix Arbitrary Code Injection?

Upgrade kagura-ai to version 4.2.3 or higher.

[,4.2.3)
Go back to all versions of this package