Wmux

v2.4.3 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 2mo CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Topics

agentic-ai ai-agent ai-agents ai-coding browser-automation claude

+12 more

claude-code coding-agent developer-tools electron gemini mcp-server multi-agent powershell terminal-multiplexer tmux tmux-alternative windows

Affected surfaces

auth rce_ssrf

Summary

AI summary

Multiple security hardening improvements including timing‑safe token comparison, tighter file permissions, prototype pollution defense, and CSPRNG usage.

Full changelog

Security Hardening

Timing-safe token comparison: PipeServer now uses crypto.timingSafeEqual (matches DaemonPipeServer)
TCP port file permissions: Set 0o600 to restrict access
Prototype pollution defense: Added JSON.parse reviver to McpRegistrar
Shell injection prevention: Replaced execSync with execFileSync for PID lookups
CSPRNG for CDP port: Use crypto.randomInt() instead of Math.random()
Ref parameter sanitization: Validate ref params against ^[a-zA-Z0-9_-]+$ before CSS selector insertion
Reproducible release builds: Changed npm install to npm ci in release workflow
Lockfile sync: Aligned package-lock.json version with package.json

Full Changelog: https://github.com/openwong2kim/wmux/compare/v2.4.2...v2.4.3

Security Fixes

Timing‑safe token comparison using `crypto.timingSafeEqual` in PipeServer and DaemonPipeServer
TCP port file permissions tightened to `0o600`
Prototype pollution defense added via JSON.parse reviver in McpRegistrar
Shell injection prevention by replacing `execSync` with `execFileSync` for PID lookups
CSPRNG usage (`crypto.randomInt()`) for CDP port selection instead of `Math.random()`
Ref parameter sanitization enforcing regex `^[a-zA-Z0-9_-]+$` before CSS selector insertion