CSCSoftware/AiDex

v1.14.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-coding claude claude-code code-indexing code-search copilot

+10 more

cursor developer-tools gemini gemini-cli mcp mcp-server sqlite tree-sitter vscode windsurf

Affected surfaces

rce_ssrf

Summary

AI summary

Fixed command injection vulnerability in Linux screenshot tools.

Full changelog

What's New

Added

aidex_global_guideline — Persistent key-value store for AI guidelines and coding conventions. Store named instructions like "review" → review checklist, "release-prep" → release steps. Actions: set, get, list, delete. Works without prior global_init.
Viewer file size limit: getFileContent() now refuses files larger than 1 MB — prevents browser from freezing on large binary or generated files

Fixed

Command injection in Linux screenshot tools: All execSync calls with shell string interpolation replaced with execFileSync using argument arrays
Global query cache grows unbounded: Cache entries evicted on write when they exceed the 5-minute TTL — prevents memory leak in long-running sessions
Viewer race condition on file change: pendingChanges set is now snapshotted and cleared before processing
Viewer buildTree() N+1 queries: Correlated subqueries replaced with LEFT JOIN — single query instead of one subquery per file
WebSocket unknown message type: Viewer now sends an error response for unrecognized message types
Viewer taskId not validated: updateTaskStatus now checks Number.isInteger(taskId) before processing
Viewer mode not whitelisted: getTree message mode constrained to 'code' | 'all'
getProjects() SQL injection via tag/namePattern: escapeLikeTerm() now applied to both filter parameters
Silent fails in viewer and global DB: catch {} blocks now log errors via console.error
Git status refresh on every file event: Added 5-second minimum interval between git status refreshes
Global query cache not invalidated after init/update: aidex_init and aidex_update now call invalidateGlobalCache()

Refactored

screenshot/shared.ts: New module with centralized hasTool() and runPowerShell() — both use execFileSync (no shell)
normalizePath(): Private duplicates removed — both now import from commands/shared.ts
escapeLikeTerm(): Exported from commands/shared.ts and used consistently across all LIKE queries
macOS sips output parsing: Replaced shell pipe with regex on direct sips output

Security Fixes

Replaced all `execSync` calls with shell string interpolation in Linux screenshot tools by using `execFileSync` and argument arrays — fixes command injection vulnerability

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CSCSoftware/AiDex

Get notified when new releases ship.

About CSCSoftware/AiDex

Persistent code index MCP server using Tree-sitter for fast, precise code search. Replaces grep with ~50 token responses instead of 2000+. Supports 11 languages including C#, TypeScript, Python, Rust, and Go.

All releases →