Plateforme
javascript
Composant
dye
Corrigé dans
1.1.2
CVE-2026-35197 is a code execution vulnerability affecting versions of the dye color library prior to 1.1.1. Maliciously crafted template expressions within the dye library can trigger arbitrary code execution. This vulnerability was identified and addressed by the dye library's author. The issue is resolved in version 1.1.1 and is not currently known to be exploited.
An attacker could exploit this vulnerability by crafting a malicious dye template expression. When this expression is processed by the dye library, it could lead to the execution of arbitrary code on the system. The potential impact ranges from information disclosure and denial of service to complete system compromise, depending on the privileges of the process running the dye library. This vulnerability highlights the importance of carefully validating user-supplied input, even within seemingly innocuous libraries.
This vulnerability is not currently known to be exploited. It was discovered and promptly patched by the dye library's author. It is not listed on the CISA KEV catalog. A public proof-of-concept is not currently available, which reduces the immediate risk, but diligent monitoring and timely patching remain crucial.
Developers and system administrators using the dye color library in their shell scripts or applications are at risk. Specifically, those relying on older, unpatched versions (0.0.0–<1.1.1) are vulnerable. Automated build systems and CI/CD pipelines that incorporate dye should be updated to use the patched version.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-35197 is to upgrade to version 1.1.1 of the dye library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating the dye library within a sandboxed environment to limit the potential impact of exploitation. While no active exploitation is known, review any scripts or applications using dye for potentially malicious template expressions. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the library's code processing logic.
Mettez à jour la bibliothèque 'dye' à la version 1.1.1 ou supérieure pour atténuer la vulnérabilité d'injection de code dans les expressions de modèle. Cette mise à jour corrige le problème en empêchant l'exécution de code arbitraire. Consultez le dépôt GitHub pour plus de détails et le téléchargement de la version mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-35197 describes a code execution vulnerability in the dye color library where malicious template expressions can trigger arbitrary code execution before version 1.1.1.
You are affected if you are using dye versions 0.0.0 through 1.1.0. Upgrade to 1.1.1 to mitigate the risk.
Upgrade to version 1.1.1 of the dye library. This version contains the fix for the code execution vulnerability.
Currently, CVE-2026-35197 is not known to be actively exploited, but prompt patching is still recommended.
Refer to the dye library's official repository or documentation for the advisory and release notes related to version 1.1.1.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.