Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2025-11445

MEDIUM6.3

Kilo Code Prompt ClineProvider.ts ClineProvider injection

Published Oct 8, 2025

Modified 3 months ago

No fix available

Details

A vulnerability was detected in Kilo Code up to 4.86.0. Affected is the function ClineProvider of the file src/core/webview/ClineProvider.ts of the component Prompt Handler. Performing manipulation results in injection. The attack can be initiated remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue.

References

WEBhttps://github.com/Kilo-Org/kilocode/pull/2244 FIXhttps://github.com/Kilo-Org/kilocode/pull/2244/commits/2fdddf89edba41ec3a527134e485a3388c464333 DETECTIONhttps://mcpsec.dev/advisories/2025-10-02-kilo-code-ai-agent-supply-chain-attack/WEBhttps://vuldb.com/?ctiid.327382 WEBhttps://vuldb.com/?id.327382 ADVISORYhttps://vuldb.com/?submit.667004 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-11445

CVSS Analysis

CVSS v4.0

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

LowVC:L

Vuln. Integrity

LowVI:L

Vuln. Availability

LowVA:L

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

5.3/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Input Validation

Other

Ecosystems

Timeline

PublishedOct 8, 2025

ModifiedOct 8, 2025

CVE-2025-11445 | Mondoo Vulnerability Intelligence