CVE-2025-54314
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-20

Last updated on: 2025-08-10

Assigner: MITRE

Description
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-20
Last Modified
2025-08-10
Generated
2026-05-07
AI Q&A
2025-07-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54314
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rails thor 1.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-54314 is a vulnerability in the Ruby library "thor" where shell commands are constructed unsafely by directly interpolating user inputs into a command string executed by the system shell. This unsafe construction allows an attacker to inject malicious shell commands if special characters are included in the inputs, potentially leading to arbitrary command execution. The vulnerability arises because inputs like 'merge_tool' and 'destination' are not properly sanitized or escaped before being passed to the shell. [1, 3]


How can this vulnerability impact me? :

This vulnerability can allow an attacker with limited privileges to execute arbitrary shell commands on the system where the vulnerable Thor library is used. This could lead to unauthorized actions such as modifying files, executing malicious scripts, or escalating privileges depending on the context in which Thor is used. The impact is limited by the attack vector requiring local access and high attack complexity, but it still poses a risk of command injection. [1, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reviewing the usage of the Thor library in your system, specifically looking for calls to the `system` method that construct shell commands using string interpolation with untrusted inputs, such as `system %(#{merge_tool} "#{temp.path}" "#{destination}")`. You can search your codebase for such patterns. Additionally, monitoring for unexpected or suspicious shell command executions involving Thor or merge tools may help. There are no specific network detection commands provided. A possible command to find vulnerable code usage is: `grep -r 'system %(' path/to/your/code`. [1, 3]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade the Thor library to version 1.4.0 or later, where the unsafe shell command construction has been fixed by changing the `system` call to use argument-separated invocation instead of string interpolation. This prevents command injection by avoiding shell interpretation of inputs. If upgrading is not immediately possible, audit and refactor any code that uses `system` with interpolated inputs to use safer invocation patterns, such as `system(merge_tool, temp.path, destination)`. Avoid passing untrusted input directly into shell commands. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart