CVE-2025-52483
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-09-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| julialang | registrator | to 1.9.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52483 is a critical command injection vulnerability in the Registrator.jl GitHub app, specifically in the `withpasswd()` function. If the clone URL returned by GitHub is malicious or manipulated, it can lead to shell script injection, allowing an attacker to execute arbitrary commands remotely (RCE). This happens because dynamic variables are interpolated directly into shell scripts without proper sanitization. The vulnerability affects versions up to 1.9.4 and is fixed in version 1.9.5. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely on systems running vulnerable versions of Registrator.jl. This could lead to unauthorized access, data compromise, or control over the affected system. Since the injection occurs via a malicious clone URL, attackers could exploit this to run harmful commands without user interaction. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately upgrade Registrator.jl to version 1.9.5 or later, where the vulnerability in the withpasswd function has been fixed. There are no known workarounds available, so upgrading is the only effective mitigation. [1]