CVE-2025-52483

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-52483
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52483.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52483
Aliases
Published
2025-06-25T16:39:45.707Z
Modified
2026-04-02T12:52:06.632177Z
Severity
  • 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Registrator.jl Vulnerable to Argument Injection and Command Injection
Details

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities) a shell script injection can occur within the withpasswd function. Alternatively, an argument injection is possible in the gettreeshafunction. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. All prior versions are vulnerable. No known workarounds are available.

Database specific 
{
    "cwe_ids": [
        "CWE-77"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52483.json"
}
References

Affected packages

Git / github.com/juliaregistries/registrator.jl

Affected ranges

Type
GIT
Repo
https://github.com/juliaregistries/registrator.jl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c65b0c8c0df714c865d333aa23de07faab3f3492

Affected versions

Other
jt102
jt103
jt105
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.1.0
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52483.json"