Command Injection Affecting agentic-flow package, versions <2.0.14


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-AGENTICFLOW-17818150
  • published5 Jul 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

NewCVE-2026-58195  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade agentic-flow to version 2.0.14 or higher.

Overview

agentic-flow is a The agentic meta-harness — freeze the model, evolve the harness. An open runtime that routes each query to the cost-optimal model, evolves its own harness (planner/context/reviewer/retry/tool/memory/score policy) and autonomously repairs code, then orches

Affected versions of this package are vulnerable to Command Injection in the process that interpolates user-supplied parameters into shell command strings executed by execSync. An attacker can execute arbitrary operating system commands with the privileges of the server process by supplying crafted input values that break out of the intended command context.

CVSS Base Scores

version 4.0
version 3.1