Nextlevelbuilder UI/UX Pro Max Skill Tailwind Config Generator Code Injection Vulnerability Leading to Remote Code Execution

A code injection vulnerability has been identified in the Nextlevelbuilder UI/UX Pro Max Skill, specifically in versions through 2.5.0. The issue resides in the Tailwind Config Generator component, within the function '_format_plugins' of the file '.claude/skills/ui-styling/scripts/tailwind_config_gen.py'. This vulnerability allows for arbitrary code execution on the host system, as the injection point can be exploited by manipulating plugin names without proper sanitization. The injected code executes with full system privileges when the generated Tailwind configuration file is loaded by Node.js.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's machine via the Node.js runtime, with potential access to read and write any files, execute processes, and consume system resources. Additionally, if this skill is used in a CI/CD pipeline, it could lead to accessing deployment secrets.

Reproduction

To reproduce this vulnerability, first install the Nextlevelbuilder UI/UX Pro Max Skill version 2.5.0 or earlier. Then, use the Tailwind Config Generator feature by adding a plugin name that includes a single quote to break out of the 'require()' call and inject JavaScript code. After the configuration is generated, run a command that loads the Tailwind config file, such as 'npx tailwindcss build', which will execute the injected code.

Remediation

The vulnerability can be remediated by validating and escaping plugin names to prevent code injection. This can be done by sanitizing the plugin names to allow only valid characters or by checking against an allowlist of acceptable plugin names.