A critical arbitrary command execution vulnerability in jdx mise exposes developers to potential system compromise via malicious .tool-versions files.

The application incorrectly exposes the exec() function within the Tera template engine when parsing .tool-versions files; this allows an unauthenticated attacker to execute arbitrary commands by placing a crafted file in a repository.

With a CVSS score of 9.6, this vulnerability poses a severe risk of full system compromise for any developer or automated system using the affected software. Successful exploitation could lead to unauthorized data exfiltration, lateral movement within the development environment, and the potential for supply chain attacks if malicious code is introduced into build pipelines.

Immediate Action: Upgrade jdx mise to version 2026.3.10 or later immediately to patch the template engine processing logic.

Proactive Monitoring: Monitor developer workstations and CI/CD pipelines for unexpected process execution originating from the mise tool.

Compensating Controls: Implement strict repository trust policies and avoid executing mise in directories from untrusted sources until the update is applied.

Public Exploit Available: Not specified

Given the critical severity of this arbitrary code execution flaw, organizations should prioritize the update of all instances of jdx mise. The vulnerability is particularly dangerous as it triggers automatically upon navigating into a directory, leaving little room for user error to prevent exploitation.