Arbitrary Argument Injection Affecting @grackle-ai/powerline package, versions <0.133.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Argument Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-GRACKLEAIPOWERLINE-17817937
  • published5 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

New CVE NOT AVAILABLE CWE-78  (opens in a new tab)
CWE-88  (opens in a new tab)

How to fix?

Upgrade @grackle-ai/powerline to version 0.133.0 or higher.

Overview

@grackle-ai/powerline is a gRPC PowerLine server for Grackle AI agent integration

Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can execute arbitrary commands as the application user on provisioned environments by supplying crafted branch names that are concatenated into a shell command without proper validation.

CVSS Base Scores

version 4.0
version 3.1