Intel

AIKIDO-2026-109307

hyperframes is vulnerable to Command Injection

Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

64

Medium Risk

This Affects:

JShyperframes
0.2.3 - 0.6.7
Fixed in 0.6.8
Are you affected? Scan for Free

TL;DR

The upgrade command in the Hyperframes CLI builds the string npm install -g hyperframes@<latest> from the version reported by the npm registry and, in non-interactive mode (--yes), executes it with execSync, which spawns a shell. Because the registry-supplied version value is used without validation, a poisoned or man-in-the-middled registry response carrying shell metacharacters (for example 1.2.3; <command>) is interpreted as extra shell commands. This allows arbitrary command execution on the machine running the CLI. The fix validates the version as strict semver and switches to execFileSync with shell:false so the value can no longer break out of the argument.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run the CLI's non-interactive upgrade --yes command.

Background info

hyperframes is vulnerable to Command Injection in versions 0.2.3 - 0.6.7.

How to fix this

Upgrade the hyperframes library to the patch version.