Jovancoding/Network-AI

v5.9.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Affected surfaces

rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 1d

The release fixes an OS command injection vulnerability in ShellExecutor and adds permission‑denied audit logging to check_permission.py.

Why it matters: Addresses a high‑severity (95) command injection flaw; introduces audit logs for every permission denial, improving security observability.

Summary

AI summary

Updates 🛠 Fixed, ✅ Verification, and v5.9.0 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes OS command injection vulnerability in ShellExecutor by removing shell invocation. Fixes OS command injection vulnerability in ShellExecutor by removing shell invocation. Source: llm_adapter@2026-06-02 Confidence: low	—
Security	High	Eliminates OS command injection by executing commands without a shell. Eliminates OS command injection by executing commands without a shell. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Security	High	Adds quote-aware parsing and rejects unquoted metacharacters before allowlist matching. Adds quote-aware parsing and rejects unquoted metacharacters before allowlist matching. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Adds command‑injection regression tests covering various injection techniques. Adds command‑injection regression tests covering various injection techniques. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Medium	Adds permission_denied audit logging to scripts/check_permission.py on every denial. Adds permission_denied audit logging to scripts/check_permission.py on every denial. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix	Low	Corrects false positive network‑access detection for lib/telemetry-provider.ts in socket.json. Corrects false positive network‑access detection for lib/telemetry-provider.ts in socket.json. Source: llm_adapter@2026-06-02 Confidence: high	—

Full changelog

Network-AI v5.9.1 — Critical Security Patch

🔒 Security — GHSA-qw6v-5fcf-5666 (Critical, CWE-78 OS Command Injection)

SandboxPolicy.isCommandAllowed glob-matched the entire command string, but ShellExecutor then ran that string through /bin/sh -c (or cmd.exe /c). A scoped allowlist entry such as git *, npm *, or node * therefore also matched chained payloads like git status; id, and the injected command executed — defeating the one control the threat model designates against a compromised agent (Adversary 3.2).

Fixed:

Commands now execute via spawn(file, args, { shell: false }) using a parsed argv — no shell is ever invoked, so metacharacters cannot be interpreted.
A new quote-aware parseCommandLine() tokenizer backs both isCommandAllowed() and the new SandboxPolicy.tokenizeCommand().
Any unquoted shell metacharacter (; & | $ ` ( ) < > { } newline) or unterminated quote is rejected before the allowlist glob match.
Quoted metacharacters are preserved as literal argument data.

Reported by lexdotdev.

🛠 Fixed

scripts/check_permission.py — permission_denied audit logging: audit_summary reads explicit permission_denied events (v5.9.0), but the permission checker never wrote them. A new _deny() helper now logs a permission_denied audit event (agent_id, resource_type, scope, reason, scores) at every denial point — high-risk confirmation, insufficient justification, low trust, excessive risk, below-threshold weighted score.
Socket.dev Network-access false positive — declared lib/telemetry-provider.ts / dist/lib/telemetry-provider.js in socket.json. The module defines the BYOT ITelemetryProvider interface and createOtelHooks() factory and makes no outbound HTTP calls.
Tests — added command-injection regression coverage (chaining, pipe, $(), backticks, redirection, newline, quoted-literal handling, tokenizeCommand); converted shell-builtin test commands to node -e since execution is now shell-free.

✅ Verification

npx tsc --noEmit — clean
Full suite — 3,161 tests across 31 suites passing

Upgrade urgency: HIGH for any deployment that grants agents ShellExecutor access with a scoped allowlist.

Security Fixes

GHSA-qw6v-5fcf-5666 — Fixed OS Command Injection (CWE-78) by eliminating shell invocation and adding strict tokenization/validation of commands

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →