CVE-2025-62378
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| underctrl | commandkit | 1.2.0-rc.11 |
| underctrl | commandkit | 1.2.0-rc.1 |
| underctrl | commandkit | 1.2.0-rc.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in CommandKit versions 1.2.0-rc.1 through 1.2.0-rc.11 involves a logic flaw where the ctx.commandName property reflects the alias used to invoke a message command instead of the canonical command name. This contradicts the implicit expectation from the documentation that ctx.commandName is the canonical identifier. As a result, middleware functions and command execution contexts relying on ctx.commandName may behave incorrectly, potentially causing unauthorized command execution or incorrect access control decisions. Slash commands and context menu commands are not affected. The issue was fixed in version 1.2.0-rc.12. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unintended behavior in middleware that relies on ctx.commandName for critical logic such as permission checks, rate limiting, authentication, and audit logging. Because ctx.commandName reflects the alias rather than the canonical command name, unauthorized command execution or inaccurate access control decisions may occur, potentially allowing users to bypass restrictions or cause security issues within Discord bots using CommandKit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the behavior of the ctx.commandName property in your CommandKit-based Discord bot middleware and command execution contexts. Specifically, check if ctx.commandName reflects the alias used to invoke a message command rather than the canonical command name. There are no specific network or system commands provided for detection. Instead, you can add debugging or logging in your bot's middleware to output ctx.commandName and verify if it matches the canonical command name or an alias. For example, add console.log(ctx.commandName) in middleware and command run functions to observe the value during command invocation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading CommandKit to version 1.2.0-rc.12 or later, where the issue is fixed and ctx.commandName consistently returns the canonical command name. If upgrading is not immediately possible, as a workaround, modify your permission validation and middleware logic to use ctx.command.data.command.name instead of ctx.commandName, or explicitly include all command aliases in your permission checks to avoid unauthorized command execution or incorrect access control. [1]