CRLF Injection Affecting skillctl package, versions <0.1.3


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about CRLF Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-SKILLCTL-17661112
  • published28 Jun 2026
  • disclosed22 Jun 2026
  • creditUnknown

Introduced: 22 Jun 2026

New CVE NOT AVAILABLE CWE-22  (opens in a new tab)
CWE-59  (opens in a new tab)
CWE-88  (opens in a new tab)
CWE-93  (opens in a new tab)

How to fix?

Upgrade skillctl to version 0.1.3 or higher.

Overview

Affected versions of this package are vulnerable to CRLF Injection via improper validation of user-supplied arguments and file paths. An attacker can execute arbitrary commands, access or overwrite files outside the intended directory, cause denial of service by leveraging special files such as FIFOs or devices, exfiltrate sensitive data through hardlinks, or forge commit metadata by injecting malicious input. This is only exploitable if attacker-controlled values are supplied to arguments such as --dest, source_sha, or skill names in non-interactive or agent-driven workflows.

Workaround

This vulnerability can be mitigated by auditing .skills.toml source_sha fields, library content for special files and hardlinks, and avoiding attacker-controlled values for --dest and --message in agent or CI contexts.

CVSS Base Scores

version 4.0
version 3.1