OCX Project Advances Compiled Rust Shim to Eliminate Persistent Windows Command Injection Attack Surface

The OCX project is advancing development of a compiled Rust binary (`ocx-shim.exe`) to replace Windows batch launchers, targeting a class of command injection vulnerabilities that continue to affect batch file-based argument forwarding. The current `.cmd` launcher implementation relies on `%*` to pass caller-supplied arguments through `cmd.exe`, a pattern identified as the core vector behind BatBadBut (CVE-2024-24576), which scored a maximum CVSS 10.0 severity rating. While an interim mitigation using `SETLOCAL DisableDelayedExpansion` neutralizes the delayed-expansion attack path (`!VAR!`), the broader `%*` re-parsing surface remains exploitable under certain caller-controlled conditions.

The urgency of addressing this class of vulnerabilities is reinforced by CVE-2025-61787, which struck Deno earlier this year with CVSS 8.1 severity and exploited the identical `%*`-expansion mechanism. The proposed `ocx-shim.exe` shim eliminates reliance on `cmd.exe` entirely. According to the project's architecture decision record (`.claude/artifacts/adr_windows_cmd_argv_injection.md`), the binary will determine its entry-point name via `GetModuleFileNameW`, read the package root path from a sibling `.shim` file following Scoop's established pattern, and invoke `CreateProcessW` directly with the target executable. This approach closes the argument-injection vector at the Windows API level rather than attempting to sanitize inputs within the batch interpreter.

The fix signals broader implications for any project that generates or relies on Windows batch launchers for argument forwarding. The persistence of the `%*` vulnerability class into 2025 indicates that the attack surface is not widely understood or consistently addressed across the ecosystem. For OCX users on Windows, the compiled shim represents a definitive remediation path, though deployment will require replacement of existing `.cmd` files with the new binary and associated `.shim` configuration files. Organizations with strict binary-execution policies may face additional review workflows before adopting the compiled solution.