Intel

AIKIDO-2026-674364

@inquirer/external-editor is vulnerable to Path traversal

Path traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

38

Low Risk

This Affects:

JS@inquirer/external-editor
0.0.1 - 3.0.2
Fixed in 3.0.3
Are you affected? Scan for Free

TL;DR

The package previously created temp files and launched an external editor in ways that could allow path escaping from the intended temp location and/or unsafe command interpretation. The fix creates a dedicated temporary directory (mkdtempSync) and always places the temp file under it (then recursively cleans it up), and it hardens editor process launching by disabling shell execution (shell: false) and handling spawn errors.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@inquirer/external-editor is vulnerable to Path traversal in versions 0.0.1 - 3.0.2.

How to fix this

Upgrade the @inquirer/external-editor library to the patch version.