CommandKit Logic Flaw in Alias Handling for Message Commands

A logic flaw has been identified in CommandKit, a meta-framework for building Discord bots with discord.js. This vulnerability exists in versions 1.2.0-rc.1 prior to 1.2.0-rc.11 and pertains to the message command handler's treatment of command aliases. When a command is invoked using an alias, the 'ctx.commandName' property reflects the alias instead of the canonical command name. This discrepancy occurs in both middleware functions and the command's execution context. Although not explicitly stated in the documentation, this behavior contradicts the implicit expectation set by CommandKit's examples, which suggest that 'ctx.commandName' should represent the official command identifier. As a result, developers relying on this property for critical logic, such as permission checks or audit logging, may inadvertently introduce errors that could lead to unauthorized command execution or incorrect access control decisions. It is important to note that this vulnerability does not affect slash commands or context menu commands.

Impact

Exploitation of this vulnerability could result in unauthorized command execution or incorrect access control decisions, particularly if 'ctx.commandName' is used for permission validations or similar security-sensitive logic.

Remediation

Users can upgrade to CommandKit version 1.2.0-rc.12, where the issue has been fixed. If an immediate upgrade is not possible, 'ctx.command.data.command.name' can be used for permission validations, or all command aliases can be included in the permission logic.