Plataforma
javascript
Componente
dye
Corregido en
1.1.2
CVE-2026-35197 is a code execution vulnerability affecting versions of the dye color library prior to 1.1.1. Maliciously crafted template expressions within the dye library can trigger arbitrary code execution. This vulnerability was identified and addressed by the dye library's author. The issue is resolved in version 1.1.1 and is not currently known to be exploited.
An attacker could exploit this vulnerability by crafting a malicious dye template expression. When this expression is processed by the dye library, it could lead to the execution of arbitrary code on the system. The potential impact ranges from information disclosure and denial of service to complete system compromise, depending on the privileges of the process running the dye library. This vulnerability highlights the importance of carefully validating user-supplied input, even within seemingly innocuous libraries.
This vulnerability is not currently known to be exploited. It was discovered and promptly patched by the dye library's author. It is not listed on the CISA KEV catalog. A public proof-of-concept is not currently available, which reduces the immediate risk, but diligent monitoring and timely patching remain crucial.
Developers and system administrators using the dye color library in their shell scripts or applications are at risk. Specifically, those relying on older, unpatched versions (0.0.0–<1.1.1) are vulnerable. Automated build systems and CI/CD pipelines that incorporate dye should be updated to use the patched version.
disclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-35197 is to upgrade to version 1.1.1 of the dye library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the dye library within a sandboxed environment to limit the potential impact of exploitation. While no active exploitation is known, review any scripts or applications using dye for potentially malicious template expressions. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the library's code processing logic.
Actualiza la biblioteca 'dye' a la versión 1.1.1 o superior para mitigar la vulnerabilidad de inyección de código en las expresiones de plantilla. Esta actualización corrige el problema al evitar la ejecución de código arbitrario. Consulta el repositorio de GitHub para obtener más detalles y la descarga de la versión actualizada.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-35197 describes a code execution vulnerability in the dye color library where malicious template expressions can trigger arbitrary code execution before version 1.1.1.
You are affected if you are using dye versions 0.0.0 through 1.1.0. Upgrade to 1.1.1 to mitigate the risk.
Upgrade to version 1.1.1 of the dye library. This version contains the fix for the code execution vulnerability.
Currently, CVE-2026-35197 is not known to be actively exploited, but prompt patching is still recommended.
Refer to the dye library's official repository or documentation for the advisory and release notes related to version 1.1.1.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.