Logic Flaw in CommandKit Framework for Discord Bots by UnderCtrl
CVE-2025-62378

6.1MEDIUM

Key Information:

Vendor: Underctrl-io
Status: Commandkit
Vendor: CVE Published:; 15 October 2025

🔔 Create Underctrl-io Vulnerability Alert

What is CVE-2025-62378?

A logic flaw in the CommandKit framework allows the commandName property to be incorrectly exposed. When invoked via an alias, the ctx.commandName reflects the alias instead of the canonical command name, misleading developers who trust it for permission checks and other crucial logic. This can lead to unauthorized command executions or incorrect access control decisions, endangering the integrity of bot operations. This issue has since been resolved in version 1.2.0-rc.12.

Affected Version(s)

commandkit >= 1.2.0-rc.1 < 1.2.0-rc.12

References

https://github.com/underctrl-io/commandkit/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Oct 10, 2025

JSON