Vulnerability Database
296,663
Total vulnerabilities in the database
CVE-2025-62378
Impact
A logic flaw exists in the message command handler of CommandKit that affects how the commandName property is exposed to both middleware functions and command execution contexts when handling command aliases. When a message command is invoked using an alias, the ctx.commandName value reflects the alias rather than the canonical command name. This occurs in both middleware functions and within the command’s own run function.
Developers who rely on ctx.commandName for logic that assumes it represents the canonical command identifier may introduce unintended behavior. In security-sensitive cases, such as middleware used for permission checks, rate limiting, or audit logging, this behavior could allow unauthorized command execution or inaccurate access control decisions. Slash commands and context menu commands are not affected.
Patches
Fixed in v1.2.0-rc.12.
ctx.commandName now consistently returns the actual command name, regardless of the alias used to invoke it.
Workaround
If upgrading isn't immediately possible:
- Use
ctx.command.data.command.namefor permission validations, or - Include all command aliases in your permission logic.
References
| Software | From | Fixed in |
|---|---|---|
commandkit
|
1.2.0-rc.1 | 1.2.0-rc.12 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime