What happened
mise processes .tool-versions configuration files through the Tera template engine during parsing and registers the exec() function in that context. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. An attacker can embed arbitrary Tera exec() calls in a .tool-versions file committed to a repository; any developer who cds into the directory with mise activated automatically executes the attacker's commands, with no prompt or warning.
Why it matters
mise is heavily used in AI/ML developer workflows for managing Python, Node, and other toolchain versions. This is a supply-chain/drive-by attack: a malicious open-source repo, a social engineering lure, or a compromised upstream repository can execute attacker code on any developer machine that has mise activated — instantly exfiltrating cloud credentials, API keys, model weights, or establishing persistent access without any user interaction beyond a directory change.
Attack vector
An attacker places a malicious .tool-versions file in a git repository. The file contains Tera template directives calling the registered exec() function. When a victim with mise shell activation runs 'cd' into the directory, mise parses .tool-versions through the Tera engine without performing any trust check (unlike .mise.toml files), and the embedded exec() call runs arbitrary OS commands immediately.
Affected systems
mise < 2026.3.10
Mitigation
Upgrade to mise 2026.3.10 or later. Advisory: https://github.com/jdx/mise/security/advisories/GHSA-fjj5-v948-whjj