Bug: Missing shebang in CLI binary and Security Research Disclosure

[Dremig]

Describe the bug

1. CLI Functional Bug

I noticed that the CLI binary in @stacksjs/tlsx v0.13.0 is missing the shebang line (#!/usr/bin/env node) at the top of bin/cli.js.
On macOS and Linux, this causes the terminal to execute the file as a Shell script instead of a Node.js script, leading to a syntax error: syntax error near unexpected token 's'.
Suggested Fix: Add #!/usr/bin/env node to the first line of the CLI source.

2. Security Disclosure

While debugging the issue above, I performed a security audit of the codebase and identified a critical command injection vulnerability (RCE). Please contact dr3m19@icloud.com for more details.

Reproduction

CLI Functional Bug and Security Disclosure

System Info

System:
    OS: macOS 15.6
    CPU: (8) arm64 Apple M1
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.10.0 - /Users/.../.nvm/versions/node/v24.10.0/bin/node
    Yarn: 1.22.22 - /Users/.../.nvm/versions/node/v24.10.0/bin/yarn
    npm: 10.9.4
    pnpm: 10.24.0 - /opt/homebrew/bin/pnpm
  Browsers:
    Chrome: 145.0.7632.117
    Firefox: 148.0
    Safari: 18.6

Used Package Manager

npm

Validations

• Follow our Code of Conduct
• Read the Contributing Guide.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A, please open a GitHub Discussion instead.
• The provided reproduction is a minimal reproducible of the bug.