This repository was archived by the owner on Feb 5, 2026. It is now read-only.
Vulnerability in plugin_only mode
Package
No package listed
Affected versions
cc1dadca3f49394d7f65285f49169338d34fbb9d
Patched versions
3817ab733c21c07ebd6c8005cef6a7df4708e906
Impact
We added the
plugin_onlymode from PR 180.This mode was intended for users only want to call the plugins without generating any code.
However, a malicious user is able to violate the
plugin_onlymode using injection attacks.This issue affects all versions of TaskWeaver before the PR 250 if the
plugin_onlymode is enabled. This issue will not have any effect if the user is not enabling theplugin_onlymode.We recommend all users to upgrade to the latest version of TaskWeaver to avoid this issue.
Patches
This issue is addressed in PR 250.