diff --git a/cli/package.json b/cli/package.json
index 536d0313..94a96659 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openrouter/spawn",
-  "version": "0.8.2",
+  "version": "0.8.3",
   "type": "module",
   "bin": {
     "spawn": "cli.js"
diff --git a/cli/src/update-check.ts b/cli/src/update-check.ts
index a24e3d84..7a9264d2 100644
--- a/cli/src/update-check.ts
+++ b/cli/src/update-check.ts
@@ -196,6 +196,11 @@ function reExecWithArgs(): void {
 function performAutoUpdate(latestVersion: string): void {
   printUpdateBanner(latestVersion);
 
+  // Validate RAW_BASE immediately before use to prevent command injection (CWE-78, #1819)
+  if (!GITHUB_RAW_URL_PATTERN.test(RAW_BASE)) {
+    throw new Error(`Security: RAW_BASE failed pre-execution validation: ${RAW_BASE}`);
+  }
+
   try {
     executor.execSync(`curl -fsSL ${RAW_BASE}/cli/install.sh | bash`, {
       stdio: "inherit",