Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Skilleton: Malicious Input Can Cause Unintended Behavior
GHSA-5g3j-89fr-r2vp
Summary
The Skilleton software has a security weakness in how it handles certain inputs. This could allow an attacker to cause the software to behave unexpectedly or inefficiently. To fix this, update to version 0.3.1 or later.
What to do
- Update fcmam5 skilleton to version 0.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fcmam5 | skilleton | <= 0.3.1 | 0.3.1 |
Original title
skilleton has improper input handling in repository/path processing
Original description
## Summary
`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic.
Version `0.3.1` contains fixes and additional test coverage for these issues.
## Affected Versions
`<0.3.1`
## Patched Versions
`>=0.3.1`
## Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
`0.3.1` mitigates this by:
- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
## Severity
Low to Moderate (project-maintainer assessed)
## Mitigation
Upgrade to `0.3.1` or later.
## Workarounds
No complete workaround is recommended other than upgrading.
## References
- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)
- Commits:
- [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)
- [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)
- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)
## Credits
Detected through automated code scanning and remediated by project maintainers.
`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic.
Version `0.3.1` contains fixes and additional test coverage for these issues.
## Affected Versions
`<0.3.1`
## Patched Versions
`>=0.3.1`
## Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
`0.3.1` mitigates this by:
- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
## Severity
Low to Moderate (project-maintainer assessed)
## Mitigation
Upgrade to `0.3.1` or later.
## Workarounds
No complete workaround is recommended other than upgrading.
## References
- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)
- Commits:
- [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)
- [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)
- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)
## Credits
Detected through automated code scanning and remediated by project maintainers.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-78
OS Command Injection
CWE-88
CWE-400
Uncontrolled Resource Consumption
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026