GHSA-fhwm-pc6r-4h2f: 
JavaScript vulnerability analysis and mitigation

A logic flaw was discovered in CommandKit's message command handler affecting versions >= 1.2.0-rc.1 and <= 1.2.0-rc.11. The vulnerability (GHSA-fhwm-pc6r-4h2f) relates to how the commandName property is exposed in the context object when handling command aliases. The issue was disclosed on October 11, 2025, and affects the npm package commandkit (GitHub Advisory).

The vulnerability has a CVSS score of 6.1 (Moderate) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. The core issue lies in the Context.commandName getter, which incorrectly returns the alias instead of the canonical command name when a message command is invoked using an alias. This behavior affects both middleware functions and command execution contexts. The vulnerability is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference) (GitHub Advisory, Miggo Database).

The vulnerability can lead to unauthorized command execution or inaccurate access control decisions in security-sensitive cases. This particularly affects middleware used for permission checks, rate limiting, or audit logging. The impact is limited to message commands, while slash commands and context menu commands remain unaffected (GitHub Advisory).

The issue has been fixed in version 1.2.0-rc.12, where ctx.commandName now consistently returns the actual command name regardless of the alias used. For users unable to upgrade immediately, two workarounds are available: use ctx.command.data.command.name for permission validations, or include all command aliases in the permission logic (GitHub Advisory).