Advisories for Npm/Tidgi package

2026

TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import — Tiddler Startup Module Auto-Execution

TidGi Desktop through 0.13.0 contains a critical remote code execution vulnerability exploitable via a single Git repository import. The vulnerability leverages TiddlyWiki's module system, which automatically discovers and executes JavaScript code embedded in .tid files placed in the wiki's tiddlers/ directory: Auto-loading of .tid files (src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts:59-92) — when TidGi boots a wiki workspace, loadWikiTiddlers reads all .tid files from the filesystem and adds them to the wiki store via wiki.addTiddlers(). …